[asterisk-dev] Subversion TLS certificate replacement

Mon Nov 10 09:07:25 CST 2008

Hi Kevin,

I tried to retrieve my new certificate several times over the last
days, but the server keeps rejecting me and reports an SSL handshake
error.

Philippe

On Tue, Nov 4, 2008 at 10:39 PM, Kevin P. Fleming <kpfleming at digium.com> wrote:
> To all who have commit access to origsvn.digium.com or
> origsvncommunity.digium.com:
>
> Recently we have been fighting some problems with users being able to
> access our master Subversion repository servers; these problems
> manifested themselves as 'Key usage violation' messages from Subversion,
> and started to appear on Fedora 9 systems (but now also appear on Fedora
> 10, Ubuntu 8.10, CentOS 5.3 and other systems). They began occurring
> when the packagers of Subversion (and possibly Subversion upstream)
> began using GnuTLS for TLS support instead of OpenSSL, since GnuTLS does
> more strict certificate checking that OpenSSL does (or was configured to
> do).
>
> After finally figuring out how to correct our server certificates to
> avoid this problem, we ran into another issue, which is that current
> versions of neon (the WebDAV library that Subversion relies on) have
> some flaws in their GnuTLS TLS support, and at least one of these flaws
> appears when the client certificate file in use actually contains more
> than one certificate. In our case, we typically include our CA
> certificate in the client certificate file (a PKCS12 bundle), which
> caused this bug to manifest itself.
>
> Since we did not actually *need* to have the CA certificate in the
> bundle (it is available separately), I have generated new copies of each
> committer's certificate bundle with only their certificate included.
> There are no other changes in the certificates... passphrase, expiration
> dates, etc. are all as they were before. Using these new copies of the
> certificate allows users of Subversion on the Linux distributions listed
> above to access our master servers without having to build their own
> copy of Subversion to use OpenSSL.
>
> In order to ease the burden of distributing these new certificates, I
> have placed them into a special repository. I encourage everyone with
> commit access to download their new certificate soon, certainly before
> performing any major system upgrades that might result in their old
> certificate no longer being usable :-)
>
> The new certs are located at
> https://origsvn.digium.com/svn/swdev/certificates, and each one is in
> its own directory with a name matching the committer's author ID for the
> repositories. Each directory is access-restricted so that only that user
> can access the certificate.
>
> Please download and try out your new certificate as soon as you can make
> time to do so, and report any problems you find directly to me. Thanks,
> and sorry for any inconvenience this may cause.
>
> --
> Kevin P. Fleming
> Director of Software Technologies
> Digium, Inc. - "The Genuine Asterisk Experience" (TM)
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-dev
>

-- 
Philippe Sultan