svn 不会接受证书,但 s_client 接受
当针对我们的 svn 服务器运行 svn 时,我收到此错误(域名和指纹已编辑):
Error validating server certificate for 'https://svn.example.org:443':
- The certificate has expired.
- The certificate has an unknown error.
Certificate information:
- Hostname: mail.example.org
- Valid: from Fri, 24 Sep 2010 13:05:10 GMT until Wed, 09 Feb 2011
15:24:52 GMT
- Issuer: 07969287, http://certificates.godaddy.com/repository,
GoDaddy.com, Inc., Scottsdale, Arizona, US
- Fingerprint: 00:e5:....
(R)eject or accept (t)emporarily? t
所以一个错误说它已过期,几行后它说过期日期是 2011。然后有一个未知错误。这是 svn 1.6 - 旧版本有一个接受永久选项。
我还尝试运行 openssl s_client 来检查证书:
openssl s_client -host svn.example.org -port 443 -verify 5 -CApath /etc/ssl/certs
在我得到的其他输出中:
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 7604...
Session-ID-ctx:
Master-Key: 22AB...
Key-Arg : None
Compression: 1 (zlib compression)
Start Time: 1288804434
Timeout : 300 (sec)
Verify return code: 0 (ok)
这表明 SSL 设置正确。
我唯一能想到的是,我们使用的是多域证书,mail.example.org 是主题 CN,svn.example.org 列在 subjectAltName 部分中。
这影响了很多人,我不希望我们的客户必须处理这个问题,所以我真的想要一个解决方案来消除这个错误,而不是仅仅为我修复它。任何帮助表示赞赏。
编辑:我可以在网络浏览器中加载https://svn.example.org/并且它不会抱怨。我可以通过网络浏览器查看证书层次结构,并且链中的所有证书都没有过期。
我已经按照 Bruno 的建议检查了 ldd svn ,它与 libgnutls 链接,而 openssl 与 libssl 链接。是否有与使用 libgnutls 的 s_client 命令等效的命令?
Edit2:(这样以后的人很容易找到)。 svn 使用 gnutls 库而不是 ssl 库,并且 gnutls 比 ssl 更严格。因此,为了查看错误,您需要使用gnutls-cli。就我而言,gnutls 不喜欢证书的顺序,即使它们都在那里。请参阅之前的链接了解更多详细信息。
When running svn against our svn server I'm getting this error (domain name and fingerprint edited):
Error validating server certificate for 'https://svn.example.org:443':
- The certificate has expired.
- The certificate has an unknown error.
Certificate information:
- Hostname: mail.example.org
- Valid: from Fri, 24 Sep 2010 13:05:10 GMT until Wed, 09 Feb 2011
15:24:52 GMT
- Issuer: 07969287, http://certificates.godaddy.com/repository,
GoDaddy.com, Inc., Scottsdale, Arizona, US
- Fingerprint: 00:e5:....
(R)eject or accept (t)emporarily? t
So one error says it has expired, and a few lines later it says the expiry date is 2011. And then there is an unknown error. This is svn 1.6 - older versions had an accept permanently option.
I've also tried running openssl s_client to check the certificate:
openssl s_client -host svn.example.org -port 443 -verify 5 -CApath /etc/ssl/certs
And amongst other output I get:
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 7604...
Session-ID-ctx:
Master-Key: 22AB...
Key-Arg : None
Compression: 1 (zlib compression)
Start Time: 1288804434
Timeout : 300 (sec)
Verify return code: 0 (ok)
Which suggests that SSL is set up properly.
The only thing I can think of is that we're using a multi-domain certificate, with mail.example.org being the subject CN and svn.example.org being listed in the subjectAltName section.
This is affecting a number of people, and I don't want our clients to have to deal with this, so I'd really like a solution that makes this error go away rather than just fixing it for me. Any help appreciated.
Edit: I can load https://svn.example.org/ in my web browser and it doesn't complain. I can view the certificate hierarchy through the web browser and none of the certificates in the chain have expired.
I've checked ldd svn as suggested by Bruno, and it is linked against libgnutls, while openssl is linked against libssl. Is there an equivalent to the s_client command using libgnutls?
Edit2: (So it's easy to find for later people). svn uses the gnutls library rather than the ssl library, and gnutls is more strict than ssl. So in order to see the error, you need to use gnutls-cli. In my case, gnutls didn't like the order of certificates, even though they are all there. See the link before for more details.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我不确定它是否能解决您的问题,但是您可以在
~/.subversion/servers中配置一个ssl-authority-files选项(您可以限制它)我认为,如果您愿意的话,可以发送给某些主机)。此外,您的
svn版本可能与其 SSL/TLS 堆栈的 OpenSSL 链接到另一个库,例如 GnuTLS(这应该可以使用ldd在svn 二进制文件)。(您是否检查过CA证书是否已过期,而不是服务器证书本身?)
I'm not sure if it will fix your problem, but there's an
ssl-authority-filesoption you can configure in~/.subversion/servers(you can limit it to certain hosts if you want, I think).In addition, it's possible that your version of
svnis linked against another library than OpenSSL for its SSL/TLS stack, for example GnuTLS (this should be visible usinglddon the svn binary).(Have you checked whether the CA certificate may have expired, rather than the server certificate itself?)