Is Permanently Accept SSL Certificate gone in 1.10.4 ?
Hi all, I have a script accessing an old svn server whom SSL certificate have expired a long time ago. Up to now, I was permanently accepting the certificate on the first run of the script and then everything was sailling smooth. I reinstalled a couple of months ago a new box where this script was intented to run and the (p)ermanently option seems not provided anymore. Thankfully, I still have the "old" running box to double-check, and the (p)ermanently option is still present. Both boxes are Debian Buster (but was installed as unstable, before the official release). The (p)ermanently option was also present in svn on previous versions of Debian. I can notice that the versions of svn changed between my old and new box from 1.10.2 to 1.10.4. Nonetheless, I gave a look at the change-log [1] and it doesn't seem specified this option has been removed. I also gave a look on openssl version and it went upgraded from 1.1.0h to 1.1.1b, but I have no clue to evaluate if the removal of the (p)ermanently option is linked or not the openssl upgrade. If some of you have an hint and an half to explain how and why this option disapeared, that would be really nice. I wonder if it was meant or not, to see where I'm headed. More over, I would really appreciate if someone could share a solution to still permanently accept the certificate on the new box, as for now, I can't use this box and the old one should soon be decommissioned. Best Regards, Pierre [1] https://svn.apache.org/repos/asf/subversion/tags/1.10.4/CHANGES
Re: Is Permanently Accept SSL Certificate gone in 1.10.4 ?
On Fri, Jul 19, 2019 at 01:40:52PM +0200, Pierre Fourès wrote: > Hi all, > > I have a script accessing an old svn server whom SSL certificate have > expired a long time ago. Up to now, I was permanently accepting the > certificate on the first run of the script and then everything was > sailling smooth. I reinstalled a couple of months ago a new box where > this script was intented to run and the (p)ermanently option seems not > provided anymore. If you're scripting 'svn' you should be using the --non-interactive option. In which case your script can use the --trust-server-cert-failures option to accept a cert in pre-determined failure cases. 'svn help update', for example, displays the following information section about the --trust-server-cert-failures option: --trust-server-cert-failures ARG : with --non-interactive, accept SSL server certificates with failures; ARG is comma-separated list of 'unknown-ca' (Unknown Authority), 'cn-mismatch' (Hostname mismatch), 'expired' (Expired certificate), 'not-yet-valid' (Not yet valid certificate) and 'other' (all other not separately classified certificate errors). Once your script uses this option it should work out of the box against your problematic server and there should be no need to save the cert. Regards, Stefan
Re: Is Permanently Accept SSL Certificate gone in 1.10.4 ?
On Fri, Jul 19, 2019 at 08:38:57PM +0200, Stefan Sperling wrote: > On Fri, Jul 19, 2019 at 01:40:52PM +0200, Pierre Fourès wrote: > > Hi all, > > > > I have a script accessing an old svn server whom SSL certificate have > > expired a long time ago. Up to now, I was permanently accepting the > > certificate on the first run of the script and then everything was > > sailling smooth. I reinstalled a couple of months ago a new box where > > this script was intented to run and the (p)ermanently option seems not > > provided anymore. > > If you're scripting 'svn' you should be using the --non-interactive option. > > In which case your script can use the --trust-server-cert-failures > option to accept a cert in pre-determined failure cases. > > 'svn help update', for example, displays the following information > section about the --trust-server-cert-failures option: > > --trust-server-cert-failures ARG : with --non-interactive, accept SSL server > certificates with failures; ARG is > comma-separated > list of 'unknown-ca' (Unknown Authority), > 'cn-mismatch' (Hostname mismatch), 'expired' > (Expired certificate), 'not-yet-valid' (Not yet > valid certificate) and 'other' (all other not > separately classified certificate errors). > > Once your script uses this option it should work out of the box against > your problematic server and there should be no need to save the cert. Follow-up regarding your actual question: It looks like the interactive prompt omits an option to save the cert if it sees a certificate failure of class 'other' from the above list. I am not sure why this decision was made but that's what the current code seems to do. So I suspect your SSL cert is failing for some reason other than unknown-ca, cn-mismatch, expired, not-yet-valid. Additionally, the ability to save a cert is also disabled if the --no-auth-cache option is used.
Re: Is Permanently Accept SSL Certificate gone in 1.10.4 ?
Stefan Sperling wrote on Fri, 19 Jul 2019 18:45 +00:00: > It looks like the interactive prompt omits an option to save the cert > if it sees a certificate failure of class 'other' from the above list. > I am not sure why this decision was made but that's what the current > code seems to do. The rationale is that if we don't know what the failure reason _is_, we don't know whether it's safe to ignore it permanently. In other words, it only offers "permanently" if the failure bits are all whitelisted. The downside is that there's no easy way for a user to say "I know what I'm doing, and I _do_ want to ignore this permanently; make it so", such as a utility that takes a PEM form certificate (on, say, stdin) and marks it as permanently trusted. > So I suspect your SSL cert is failing for some reason > other than unknown-ca, cn-mismatch, expired, not-yet-valid.
