subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Shahaf" <...@daniel.shahaf.name>
Subject Re: Is Permanently Accept SSL Certificate gone in 1.10.4 ?
Date Fri, 19 Jul 2019 21:52:32 GMT
Stefan Sperling wrote on Fri, 19 Jul 2019 18:45 +00:00:
> It looks like the interactive prompt omits an option to save the cert
> if it sees a certificate failure of class 'other' from the above list.
> I am not sure why this decision was made but that's what the current
> code seems to do.

The rationale is that if we don't know what the failure reason _is_, we
don't know whether it's safe to ignore it permanently.  In other words,
it only offers "permanently" if the failure bits are all whitelisted.

The downside is that there's no easy way for a user to say "I know what
I'm doing, and I _do_ want to ignore this permanently; make it so", such
as a utility that takes a PEM form certificate (on, say, stdin) and
marks it as permanently trusted.

> So I suspect your SSL cert is failing for some reason
> other than unknown-ca, cn-mismatch, expired, not-yet-valid.

Mime
View raw message