What does Subversion use for its CA list?

2

I'm using SVN on Mac OS X. Often, when I checkout something from SourceForge, I am presented with:

$ svn checkout https://svn.code.sf.net/p/cryptopp/code/trunk/c5 cryptopp-ecies
Error validating server certificate for 'https://svn.code.sf.net:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: *.code.sf.net
 - Valid: from Thu, 16 Apr 2015 00:00:00 GMT until Sun, 15 May 2016 23:59:59 GMT
 - Issuer: GeoTrust Inc., US
 - Fingerprint: 1f:7b:73:d5:cf:71:18:76:d5:23:f3:07:c9:2f:f5:4a:52:67:0f:68

OpenSSL's s_client shows the topmost CA is Equifax Secure Certificate Authority:

$ openssl s_client -connect svn.code.sf.net:443 -showcerts
...
---
Certificate chain
 0 s:/C=US/ST=New York/L=New York/O=Dice Career Solutions/OU=code.sf.net/CN=*.code.sf.net
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Equifax Secure Certificate Authority is present in OS X's Keychain:

enter image description here

So I'm not quite sure why I am being prompted by Subversion.

Question: what does Subversion use for its CA list?

This is Apple's 1.7.10 version of SVN (and not Brew or Macports):

$ which svn
/usr/bin/svn
$ svn --version
svn, version 1.7.10 (r1485443)
   compiled Jan 15 2014, 11:22:16

Apple's man page for SVN only describes the program in one paragraph. It does not even bother detailing switches.

jww

Posted 2015-04-18T23:49:43.450

Reputation: 1

Answers

3

By default svn client doesn't use any certificates. You have two options:

1.

Download latest mozilla CA certificates ca-bundle.crt file from the link on cURL webpage.

Find svn config file called servers in your home directory: ~/.subversion/servers. Create the file and .subversion folder if they don't exist.

Add path to the certificates bundle in servers config global section:

[global]
ssl-authority-files = /path/to/the/ca-bundle.crt

2.

Install CA certificates for OpenSSL and add following line to your servers config file in global section:

[global]
ssl-trust-default-ca = yes

Initially I thought that the second option doesn't work on OS X but I tested it and it actually works.

baf

Posted 2015-04-18T23:49:43.450

Reputation: 131

Thanks @baf. I'm interested in learning what Apple's subversion uses for its list, not how to replace it. Subversion's message is "The certificate is not issued by a trusted authority", which tells me its got a list and Equifax Secure Certificate Authority is not on it. I'm trying to understand why. – jww – 2015-04-19T20:16:37.613

@jww It doesn't use any "list". It depends on openssl certificates and openssl doesn't install any certificates by default. If you install certificates and set ssl-trust-default-ca = yes it actually works. I updated my answer. – baf – 2015-04-19T21:34:15.763

Asked: 2015-04-18T23:49:43.450

Viewed: 1 378 times

Active: 2015-04-19T21:33:38.510