www-infrastructure-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sebb (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (INFRA-8814) Different certs for svn.us/.eu mean svn.geo redirection does not work properly
Date Mon, 04 May 2015 07:53:05 GMT

     [ https://issues.apache.org/jira/browse/INFRA-8814?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Sebb updated INFRA-8814:
------------------------
    Status: Waiting for Infra  (was: Closed)

The updated cert on svn.us (hades) is now no longer the same as the cert on svn.eu (harmonia).

This will cause problems for SVN

> Different certs for svn.us/.eu mean svn.geo redirection does not work properly
> ------------------------------------------------------------------------------
>
>                 Key: INFRA-8814
>                 URL: https://issues.apache.org/jira/browse/INFRA-8814
>             Project: Infrastructure
>          Issue Type: Bug
>          Components: Subversion
>            Reporter: Sebb
>            Assignee: Daniel Gruno
>            Priority: Critical
>
> svn.apache.org resolves via svn.geo.apache.org to either svn.eu.a.o or svn.us.a.o
> By default the SVN client does not know about the CA cert that is used by the svn hosts;
this can be overridden by accepting the certificate using the fingerprint as validation.
> This certificate etc. is stored in a file in .subversion/auth/svn.ssl.server/
> The file name is derived from the host name, rather than the IP address.
> [Looks like some kind of hash] So next time the URL is used SVN no longer needs to prompt.
> However this relies on the same certificate always being returned for a given host address.
> This is no longer the case, as the EU and US servers now have different certicates.
> So unless the svn.geo.a.o address always resolves to the same host for a given user,
the SVN client will no longer be able to login without user intervention.
> I have tried this locally (by defining different IPs for svn.apache.org) and the SVN
client prompts each time svn.apache.org is swapped between EU and US.
> There is no guarantee that svn.a.o will always return the same IP address.
> Especially on a system that may connect via different ISPs or with dynamic IPs. Even
my fixed IP gets different  values at different times.
> This causes lots of problems.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message