Source Module and [ SVN | Subversion ] SSL certificate verification

avatar jrobgood Pro Feb 22. 2010. 7:21 pm #1
Despite permanently accepting a non-trusted SSL cert from my SVN host via the commandline, aC's Source Module refuses to connect to that repository with a "Server certificate verification failed: certificate issued for a different hostname, issuer is not trusted" message.

Does this Source module use mod_authz_svn? If so, the apache <--> svn interaction is running with a non-shell account so I cannot interactively allow the certificate this way.

I cannot disable SSL on my SVN host (it's a third-party service.)
avatar Ilija Studen Staff Feb 23. 2010. 2:13 am #2
activeCollab uses SVN command line client exclusively, and does not rely on any Apache or PHP modules or extensions.
Follow @activecollab and activeCollab on Facebook.
avatar jrobgood Pro Feb 23. 2010. 3:12 am #3
I wonder if I could use stunnel on the aC server to negotiate the SSL SVN since SVN has deprecated their ignore certificate errors switch?

Any other thoughts?
avatar Ilija Studen Staff Feb 23. 2010. 2:44 pm #4
Because activeCollab communicates with SVN command line utility in non interactive mode, you should make sure that your SVN binaries and your repositories communicate without any interruption and request for input. This is pretty much the system requirement and different situations and setups may require different approaches.

Is HTTPS the only way to communicate with your repository?
Follow @activecollab and activeCollab on Facebook.
avatar jrobgood Pro Feb 27. 2010. 8:08 pm #5
Yes, it's a third-party service (springloops.com) and they require it. Right now I am experimenting with stunnel as a proxy running on localhost and also trying SETUID on the SVN binary to drop it into an interactive account wherein I would have accepted the flawed certificate.
avatar jrobgood Pro Feb 27. 2010. 10:38 pm #6
Alright, here's my workaround in the meantime. This assumes the aC server is running Subversion >= 1.6

Use at your own risk, I assume no liability as a result of this certificate authentication bypass.




+++ subversion.class.php
@@ -497,7 +497,7 @@

$executable_path = empty($this->executable_path) ? '' : with_slash($this->executable_path);

- $escaped = escapeshellcmd($executable_path."svn ".$authentication." ".$this->config_dir." $command")." 2>&1";
+ $escaped = escapeshellcmd($executable_path."svn ".$authentication." ".$this->config_dir." $command --trust-server-cert")." 2>&1";

exec($escaped, $this->output);
$error = $this->checkResponse($this->output);
avatar muhtaufikt Pro Mar 15. 2010. 4:44 am #7
Hi, I just installed a certificate in my server and was having the same problem. We are using a low-cost RapidSSL certificate (verifiied by Equifax), and it seems like the svn client is having problems verifying the certificate.

Rather than using the (possibly) unsafe method above, you can try to edit the global svn servers file settings and add the root certificate of the problematic certificate to the list of trusted CA's. See http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authn.sslcerts for more info on this.

Here's how I do it in my Ubuntu 8.04 server :

1. Download the Root Certificate file

In my case, RapidSSL is signed by Equifax, copy the contents of Equifax Root Certificate file found here : http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer. Create a new file with vim in my server, say, in /etc/ssl/certs/equifax_root.cer, paste contents and save.

In your case, you should contact the SVN service provider and ask for the root certificate. For self-signed certificate, you should use your self-generated CA file.

2. Edit servers configuration file

In Ubuntu, this file is located at /etc/subversion/servers. Open the file using vim or your favorite text editor, and under [global], add or uncomment this line :
ssl-authority-files = /etc/ssl/certs/equifax_root.cer (path to root cert, this is a semicolon delimited list)

3. Try if it works by issuing a svn command from the command line, using the --config-dir option if needed. In my case the --config-dir parameter's value would be /etc/subversion.

4. Source module in activeCollab can use custom SVN Config Directory Path, set the path to the same path as step 3.

5. It should be working fine.