misc/190331: svnlite has a bug in https support / "--trust-server-cert" does not work

Leander mr-spott at gmx.de
Wed May 28 07:20:00 UTC 2014 

>Number:         190331
>Category:       misc
>Synopsis:       svnlite has a bug in https support / "--trust-server-cert" does not work
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 28 07:20:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator:     Leander
>Release:        FreeBSD 10.0-RELEASE
>Organization:
Private
>Environment:
FreeBSD Storage-03.NetOcean.Local 10.0-RELEASE FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014     root at snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
A full description can be found here:
https://forums.freebsd.org/viewtopic.php?f=43&t=46620&p=260645#p260612

A short summary: snvlite does not treat the "--trust-server-cert" as described and expected. A server cert must currently be manually accepted before the combination of "--non-interactive --trust-server-cert" is doing its job eg. in a unattended script.

svnlite checkout https://svn0.eu.FreeBSD.org/base/releng/10.0/ /usr/src --non-interactive --trust-server-cert
svn: E230001: Unable to connect to a repository at URL 'https://svn0.eu.freebsd.org/base/releng/10.0'
svn: E230001: Server SSL certificate untrusted

>How-To-Repeat:
# Ensure there is no old keys anymore which may corrupt the result ...
[[ -d ~/.subversion ]] && mv ~/.subversion /tmp/

# Start a sync of the FreeBSD sources ...
svnlite checkout https://svn0.eu.FreeBSD.org/base/releng/10.0/ /usr/src --non-interactive --trust-server-cert

svn: E230001: Unable to connect to a repository at URL 'https://svn0.eu.freebsd.org/base/releng/10.0'
svn: E230001: Server SSL certificate untrusted

>Fix:
A workaround is to save server keys once and implement them into ~/.subversion/ like eg.



[[ -d ~/.subversion ]] && rm -r ~/.subversion
mkdir -p -m 0755 ~/.subversion/auth/svn.ssl.server

(
cat <<'EOF'
K 10
ascii_cert
V 2284
MIIGqzCCBJOgAwIBAgIJAN50OQRbgfDIMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFDASBgNVBAoTC0ZyZWVCU0Qub3JnMRMwEQYDVQQLEwpjbHVzdGVyYWRtMR8wHQYDVQQDExZzdm5taXIueXN2LkZyZWVCU0Qub3JnMSUwIwYJKoZIhvcNAQkBFhZjbHVzdGVyYWRtQEZyZWVCU0Qub3JnMB4XDTEzMDcyOTIyMDEyMVoXDTQwMTIxMzIyMDEyMVowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEUMBIGA1UEChMLRnJlZUJTRC5vcmcxEzARBgNVBAsTCmNsdXN0ZXJhZG0xHzAdBgNVBAMTFnN2bm1pci55c3YuRnJlZUJTRC5vcmcxJTAjBgkqhkiG9w0BCQEWFmNsdXN0ZXJhZG1ARnJlZUJTRC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDMV94UpcQjtD0IhCnMhySdwq6V8FFwXwqZ7f3isAwWGYpXob4n/OWjHam7ZsFIb/37/ur7uGc3CRr2o0ke+kJr68RXVxctpJ0PT5TW39D/q97O97l52bqzxHdjPxEbNEs/QBs6NjujvUJZxrpo+6TPFKlT1E3qL1zoit75x/AQBVq34sJu7OG2464Wuc2w/e/F9gs8wI7+qQoImIZizksdD6fjPpqZpoNm0krtbaWJ7gOeFXTVyUFFMEFdaSEn25xCWibAvkHy7X5yPJrS6btKdE/i4O8RS1xlIq8L6TNZaIUJL43Gcq0CSMOALLU6o/I3mxJfL0OrHh/jIsTGb2A6mRoYgDDLNbDyzXCkDUI5bWVp0ucu13PgUJtBtdtJv5MEiZwMrUoFqTs4sZW6alj6d8tAniYMcfM9l0YOWKFmnopDxXyTBH+2kfYLU8wR/hMeRlOi9qwwK4dOZcQ1FqZN33ZDo6
 sKFjFBS1qn82ncHrzomHopeJckJs0XrXebAGpW48IFbeV9bf3zrMcJFTbL8x6byJ8LAwHYlCZejLkpmla9ZsrUzeUk5eAldh2iB45hOcfBkb6kQyodYWjOBj3RYIz+7LlUuj0HtvSp+3oYLh+tLuFPRi63VdzBv6owykTxLRzdVFQTT8prqeAGyMXTSGXmM4aLnmyEft0TFdpltwIDAQABo4IBCjCCAQYwgesGA1UdEQSB4zCB4IIWc3ZubWlyLnlzdi5GcmVlQlNELm9yZ4IYc3ZuMC51cy1lYXN0LkZyZWVCU0Qub3Jnghhzdm4xLnVzLWVhc3QuRnJlZUJTRC5vcmeCGHN2bjAudXMtd2VzdC5GcmVlQlNELm9yZ4IYc3ZuMS51cy13ZXN0LkZyZWVCU0Qub3JnghNzdm4wLmV1LkZyZWVCU0Qub3JnghNzdm4xLmV1LkZyZWVCU0Qub3Jnghlzdm4wLmV1LW5vcnRoLkZyZWVCU0Qub3Jnghlzdm4xLmV1LW5vcnRoLkZyZWVCU0Qub3JnMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBBQUAA4ICAQBn8GGOpAf1dlDg4nojM/pkjDopwKfx2UXLg/3VwNaXHXmbd7V1DFfBJwBNaMUEXe/G33Gjkk756UhifCsKQyFCsJlURp+jtkL7QPN7NOd2v4Hmh6D1sEitoY5YKD2wjh6GrMLkYrirmMn5V/oj0/RjCtX8fBckox+Cb1DjGTBRJ6Qv7zA9K3IL3J8cqK41RZn6TzzEPI/bA/2nL3hZ+7DOIeuAbLsM164t7P9dCOSa9UX7l77I4Iwr9YjTBWC09vi4TxNvqYqg16skf6o3GEyYUo3y1G9haBMwnXkJxYQWEzTpldnHBlsZp4pqumbvBC7cL+VVng7AFX74xiOAk5Mylb9Q4k19X51sWf2nOHTQNqPMXimWU354+7NEbdeZmhGkef4fZt+I5Ge
 iPWb/DeZiXkbQIU/QEme/XNiy2Ca/0hX1oEO9C0ImUSL!
 I2DnT94E3cO+plcmC+8FXHAAlusyM16LnHLuZqHe5DF/e/W3USCV+2DoA9RIltJPsw8MpYsEFKkx1lVTA3BPOrT6t2cNjWjW0Pqs+B1raAjNjeKoKD+d0TGhoGAFzmMFblx5jt7+NuYVJgWL1kLV52UnabcyJWAPWobNDpt98JWVRHTa+yp92Jg/9zfccbaIE9xCWxgXj9/YyWIGeSVIBSFpWMz/rhwegVR+6PFgBF/7t/W0W5Q==
K 8
failures
V 2
12
K 15
svn:realmstring
V 36
https://svn0.us-east.freebsd.org:443
END
EOF
) >         ~/.subversion/auth/svn.ssl.server/87ff8e8fd0384311d1630a5693b2abb5
chmod 0755  ~/.subversion/auth/svn.ssl.server/87ff8e8fd0384311d1630a5693b2abb5


svnlite checkout https://svn0.eu.FreeBSD.org/base/releng/10.0/ /usr/src --non-interactive --trust-server-cert
A    /usr/src/bin
A    /usr/src/bin/dd
[...]


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list