Uploaded image for project: 'Subversion'
  1. Subversion
  2. SVN-3578

neon upgrade from 0.28.6 to 0.29.0 breaks with wildcard certificate

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments


    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Won't Fix
    • Affects Version/s: 1.6.x
    • Fix Version/s: 1.7.x
    • Component/s: libsvn_ra_neon
    • Labels:
    • Environment:



      Recently I've updated the neon library on my gentoo system from 0.28.6 to
      neon-0.29.0 and my https:// connection is not working anymore.
      "Not working" means here that svn is asking the "(R)eject or accept
      (t)emporarily?" question. As you can see there is no way to accept this
      certificate forever. With the neon library 0.28.6 everything is working fine.
      There is no question about the certificate.
      Here's the complete output with the flag "neon-debug-mask = 258". I replaced the
      domain name with "company.invalid":
      % svn up
      Running pre_send hooks
      compress: Initialization.
      compress: Initialization.
      Sending request headers:
      OPTIONS /svn/src/perl/suckula HTTP/1.1
      User-Agent: SVN/1.6.6 (r40053) neon/0.29.0
      Connection: TE, Keep-Alive
      TE: trailers
      Host: dev.int.company.invalid
      Content-Type: text/xml
      Accept-Encoding: gzip
      DAV: http://subversion.tigris.org/xmlns/dav/svn/depth
      DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo
      DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops
      Content-Length: 104
      Accept-Encoding: gzip
      Sending request-line and headers:
      Doing DNS lookup on dev.int.company.invalid...
      Connecting to
      Negotiating SSL connection.
      ssl: Got 3 certs in peer chain.
      ssl: Match common name '*.company.invalid' against ''
      ssl: Match common name 'PositiveSSL CA' against ''
      ssl: Match common name 'UTN-USERFirst-Hardware' against ''
      ssl: Match common name 'AddTrust External CA Root' against ''
      ssl: Match common name 'AddTrust External CA Root' against ''
      ssl: Match common name '*.company.invalid' against 'dev.int.company.invalid'
      ssl: Identity match for 'dev.int.company.invalid': bad
      ssl: Verify peers returned 0, status=0
      ssl: Verification failures = -1223176442 (status = 0).
      Error validating server certificate for 'https://dev.int.company.invalid:443':
       - The certificate hostname does not match.
       - The certificate has expired.
       - The certificate has an unknown error.
      Certificate information:
       - Hostname: *.company.invalid
       - Valid: from Mon, 11 Jun 2007 00:00:00 GMT until Wed, 15 Sep 2010 23:59:59 GMT
       - Issuer: Comodo CA Limited, Salford, Greater Manchester, GB
       - Fingerprint: d2:d6:76:ee:7c:b1:87:ce:28:6a:0e:eb:c5:03:87:30:cf:1d:a7:b9
      (R)eject or accept (t)emporarily?
      Here are 3 facts:
      1) The clock on both computers are fine. There are complete in sync with the
      reality. B-)
      2) Downgrading the neon library to 0.28.6 solves the problem. The certificate
      questions disappears and everything is working.
      3) Using the "(t)emporarily" option is working. "svn" is doing it's update for
      this time and the next time the question pops up again.
      If you need additional information, please feel free to ask.

      Original issue reported by ewasser




            • Assignee:
              subversion-importer Subversion Importer


              • Created:

                Issue deployment