Uploaded image for project: 'Subversion'
  1. Subversion
  2. SVN-3578

neon upgrade from 0.28.6 to 0.29.0 breaks with wildcard certificate

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Won't Fix
    • 1.6.x
    • 1.7.x
    • libsvn_ra_neon
    • None

    • Linux

    Description

      Recently I've updated the neon library on my gentoo system from 0.28.6 to
neon-0.29.0 and my https:// connection is not working anymore.

"Not working" means here that svn is asking the "(R)eject or accept
(t)emporarily?" question. As you can see there is no way to accept this
certificate forever. With the neon library 0.28.6 everything is working fine.
There is no question about the certificate.

Here's the complete output with the flag "neon-debug-mask = 258". I replaced the
domain name with "company.invalid":

% svn up
Running pre_send hooks
compress: Initialization.
compress: Initialization.
Sending request headers:
OPTIONS /svn/src/perl/suckula HTTP/1.1
User-Agent: SVN/1.6.6 (r40053) neon/0.29.0
Keep-Alive:
Connection: TE, Keep-Alive
TE: trailers
Host: dev.int.company.invalid
Content-Type: text/xml
Accept-Encoding: gzip
DAV: http://subversion.tigris.org/xmlns/dav/svn/depth
DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo
DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops
Content-Length: 104
Accept-Encoding: gzip

Sending request-line and headers:
Doing DNS lookup on dev.int.company.invalid...
Connecting to 10.20.11.17
Negotiating SSL connection.
ssl: Got 3 certs in peer chain.
ssl: Match common name '*.company.invalid' against ''
ssl: Match common name 'PositiveSSL CA' against ''
ssl: Match common name 'UTN-USERFirst-Hardware' against ''
ssl: Match common name 'AddTrust External CA Root' against ''
ssl: Match common name 'AddTrust External CA Root' against ''
ssl: Match common name '*.company.invalid' against 'dev.int.company.invalid'
ssl: Identity match for 'dev.int.company.invalid': bad
ssl: Verify peers returned 0, status=0
ssl: Verification failures = -1223176442 (status = 0).
Error validating server certificate for 'https://dev.int.company.invalid:443':
 - The certificate hostname does not match.
 - The certificate has expired.
 - The certificate has an unknown error.
Certificate information:
 - Hostname: *.company.invalid
 - Valid: from Mon, 11 Jun 2007 00:00:00 GMT until Wed, 15 Sep 2010 23:59:59 GMT
 - Issuer: Comodo CA Limited, Salford, Greater Manchester, GB
 - Fingerprint: d2:d6:76:ee:7c:b1:87:ce:28:6a:0e:eb:c5:03:87:30:cf:1d:a7:b9
(R)eject or accept (t)emporarily?

Here are 3 facts:
1) The clock on both computers are fine. There are complete in sync with the
reality. B-)
2) Downgrading the neon library to 0.28.6 solves the problem. The certificate
questions disappears and everything is working.
3) Using the "(t)emporarily" option is working. "svn" is doing it's update for
this time and the next time the question pops up again.

If you need additional information, please feel free to ask.

      Original issue reported by ewasser

      Attachments

        Activity

          People

            Unassigned Unassigned
            subversion-importer Subversion Importer
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: