Menu
I'm managing a subversion-based build system and we use a self-signed ssl for the server. So from time to time, we get build failures because a new machine has been added and it can't checkout since it's the first time for that machine to contact the svn server.
The error message is like:
icasimpan ~$ svn ls https://scm.myserver.com/trunk
Error validating server certificate for 'https://scm.myserver.com:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
Certificate information:
- Hostname: scm.myserver.com
- Valid: from Mon, 05 Dec 2011 00:00:00 GMT until Tue, 11 Dec 2012 23:59:59 GMT
- Issuer: Terms of use at https://www.verisign.com/rpa (c)10, VeriSign Trust Network, VeriSign, Inc., US
- Fingerprint: c0:69:f6:67:8d:1f:d2:85:c1:94:9f:59:8e:81:cc:81:3d:1e:44:28
(R)eject, accept (t)emporarily or accept (p)ermanently?
What I typically need is something like --insecure parameter to curl. Right now, our workaround is to just do some simple svn command so that we could answer "permanently" to and the issue would be solved...at least until the ssl certificate gets changed/renewed again or the build is done on another new machine.
Has someone solved this issue?
Thanks in advance :)
334
To bypass SSL certificate validation for local and test servers, you can pass the -k or --insecure option to the Curl command. This option explicitly tells Curl to perform "insecure" SSL connections and file transfers. Curl will ignore any security warnings about an invalid SSL certificate and accept it as valid.
In the navigation tree, under SSL 3.0, select Server and then, in the right pane, double-click the Enabled DWORD value. In the Edit DWORD (32-bit) Value window, in the Value Data box leave the value at 0 and then, click OK. Restart your Windows server. You have successfully disabled the SSL v3 protocol.
I guess you have two options; throwing all caution overboard and setting trust-server-cert and non interactive from the command line:
svn help co
.... snip....
--non-interactive : do no interactive prompting
--trust-server-cert : accept unknown SSL server certificates without
prompting (but only with '--non-interactive')
and the other option is to use something like openssl s_client with -showcerts to check and validate if the cert has changed prior to the svn call -and then either abort very cleanly and let a human make the judgment call, or something dirty - like using the -showcert to update the known cert in ~/.subversion.
In either case - the bit of nonintuitive magic is on the files in ~/.subversion/auth/svn.ssl.server/<serverrecord> - to extract the cert info you need:
cat <serverrecord> | grep ^MII | base64decode | openssl x509 -text -inform DER
or something like
cat <serverrecord> | grep ^MII | base64decode | openssl x509 -text -inform DER -noout - out current-cert.pem
and can then use openssl s_client with -CApath or verify with that cert to see if it has changed and/or use -showcert to cross check. (Note: substitute perl -e 'use MIME::Base64;print decode_base64(join("",));' for base64decode if needed).
79
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
