[rhelv6-list] Subversion client with https and internal CA on RHEL6

Matthias Saou thias at spam.spam.spam.spam.spam.spam.spam.egg.and.spam.freshrpms.net
Wed Mar 9 15:46:15 UTC 2011 

Hi,

Replying to myself, but it's because I've found something else related
to this problem, which might be useful to others.

I had always been using the following command to get the name of the
file in which my custom CA is looked for :
openssl x509 -hash -noout -in myca.crt

This used to give me "b903d65c" (as seen in the trace below), but on
RHEL6 is gives "c3314365". This is apparently because openssl now uses
a new hash mechanism, and since I was dynamically generating a symlink
using the value returned by openssl, that symlink was now different with
openssl being run on RHEL6.

The changes as seen in the --help output :
 -subject_hash   - print subject hash value
 -subject_hash_old   - print old-style (MD5) subject hash value
 -issuer_hash    - print issuer hash value
 -issuer_hash_old    - print old-style (MD5) issuer hash value
 -hash           - synonym for -subject_hash

Using -subject_hash_old gives me the same hash RHEL5 does. I hope
this might help others prevent some breakage :-)

Matthias

Matthias Saou wrote :

> Hi,
> 
> I can't seem to figure out the proper clean way to have the svn CLI
> client trust all https URLs using certificates signed by an internal
> CA. With RHEL5, it was easy :
> 
> $ strace svn co https://myserver/repo/ 2>&1 | grep pki
> open("/etc/pki/tls/cert.pem", O_RDONLY) = 3
> open("/etc/pki/tls/cert.pem", O_RDONLY) = 3
> stat("/etc/pki/tls/certs/b903d65c.0", 0x7fff7f839980) = -1 ENOENT (No
> such file or directory)
> 
> The SSL library being used looked for a CA certificate named after a
> hash specific to that certificate (which you got with openssl x509
> -hash -noout -in myca.crt). With RHEL6 this happens no more :
> 
> $ strace svn co https://myserver/repo/ 2>&1 | grep pki
> open("/etc/pki/tls/certs/ca-bundle.crt", O_RDONLY) = 4
> open("/etc/pki/tls/certs/ca-bundle.crt", O_RDONLY) = 4
> 
> Appending my CA's certificate to ca-bundle.crt works of course, but
> it's a much more fragile and less elegant solution. Does anyone know
> what the proper way is now?
> 
> Matthias
> 


-- 
Clean custom Red Hat Linux rpm packages : http://freshrpms.net/
Fedora release 14 (Laughlin) - Linux kernel 2.6.35.11-83.fc14.x86_64
Load : 0.00 0.02 0.10

More information about the rhelv6-list mailing list