Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
654 views
in Technique[技术] by (71.8m points)

svn - bypass ssl certificate validation in subversion

I'm managing a subversion-based build system and we use a self-signed ssl for the server. So from time to time, we get build failures because a new machine has been added and it can't checkout since it's the first time for that machine to contact the svn server.

The error message is like:

icasimpan ~$ svn ls https://scm.myserver.com/trunk
Error validating server certificate for 'https://scm.myserver.com:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: scm.myserver.com
 - Valid: from Mon, 05 Dec 2011 00:00:00 GMT until Tue, 11 Dec 2012 23:59:59 GMT
 - Issuer: Terms of use at https://www.verisign.com/rpa (c)10, VeriSign Trust Network, VeriSign, Inc., US
 - Fingerprint: c0:69:f6:67:8d:1f:d2:85:c1:94:9f:59:8e:81:cc:81:3d:1e:44:28
(R)eject, accept (t)emporarily or accept (p)ermanently? 

What I typically need is something like --insecure parameter to curl. Right now, our workaround is to just do some simple svn command so that we could answer "permanently" to and the issue would be solved...at least until the ssl certificate gets changed/renewed again or the build is done on another new machine.

Has someone solved this issue?

Thanks in advance :)

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

I guess you have two options; throwing all caution overboard and setting trust-server-cert and non interactive from the command line:

 svn help co
 .... snip....
--non-interactive        : do no interactive prompting
--trust-server-cert      : accept unknown SSL server certificates without
                         prompting (but only with '--non-interactive')

and the other option is to use something like openssl s_client with -showcerts to check and validate if the cert has changed prior to the svn call -and then either abort very cleanly and let a human make the judgment call, or something dirty - like using the -showcert to update the known cert in ~/.subversion.

In either case - the bit of nonintuitive magic is on the files in ~/.subversion/auth/svn.ssl.server/<serverrecord> - to extract the cert info you need:

cat <serverrecord> | grep ^MII | base64decode  | openssl x509 -text -inform DER

or something like

cat <serverrecord> | grep ^MII | base64decode  | openssl x509 -text -inform DER -noout - out current-cert.pem

and can then use openssl s_client with -CApath or verify with that cert to see if it has changed and/or use -showcert to cross check. (Note: substitute perl -e 'use MIME::Base64;print decode_base64(join("",));' for base64decode if needed).


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...