On 3/3/14, 2:50 AM, Bert Huijben wrote: >> -----Original Message----- >> From: Daniel Widdis [mailto:wid...@gmail.com] >> Sent: zaterdag 1 maart 2014 05:06 >> To: users@subversion.apache.org >> Subject: Update from 1.8.5 to 1.8.8 breaks my self-signed numeric IP >> certificate >> >> I recently upgraded from 1.8.5 to 1.8.8 via macports. The new version >> refused to permanently accept my self-signed certificate, citing an >> "unknown error".
Some background on this issue here: http://stackoverflow.com/questions/22108914/subversion-server-ssl-certificate-verification-failed-and-other-reasons > We fixed a bug in Subversion where we accidentally accepted certificate > issues that were reported after a different first certificate problem. > > My guess would be that your selfsigned certificate is not completely valid, > but we accidentally accepted it before because the first report was just > that you weren't a known certificate authority. The second error could then > be something like a problem in the certificate chain. Bert's talking about this change from the CHANGES file: * ra_serf: properly ask multiple certificate validation providers for acceptance of certificate failures (r1535532) Which is this change: http://svn.apache.org/r1535532 I was under the impression that this didn't impact our command line client because of the commit message that says we accept all or none of the failures. Looking at the code reinforces that view. It's possible this change is somehow involved, but I'm not seeing how. > It could help to upgrade your serf to the latest version as this changes the > handling of a few certificate checks. > > If the internal error is X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE (which I > happened to reproduce locally some time ago), upgrading to the latest serf > should resolve this problem for you. The X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE error issue doesn't make any sense in the context of a self-signed certificate so I really don't think this related. Can you verify which version of serf you're using. You can find this out by running: svn --version -v You'll get a lot of output but you're looking for this: * ra_serf : Module for accessing a repository via WebDAV protocol using serf. - using serf 1.3.4 - handles 'http' scheme - handles 'https' scheme If you can do this with both the 1.8.5 and 1.8.8 version that would be interesting. I don't use MacPorts myself but it looks like the serf-1 package can be independently upgraded from subversion. We were discussing this on IRC and Lieven suggested that we ask that you generate a new key/cert pair and send them to us so we can try and replicate the behavior. Because as things stand we're not sure what's wrong with the certificate to trigger that other error. Your httpd.conf details would probably be helpful as well.
