Totoise SVN and non-public certificate

[Frank Breedijk]

Hello,

We run an SVN repository protected with a certificate issued by our own internal CA. This CA is added to the windows certificate store and thus these certificates validate nicely when we brows to our svn repository.

However when Tortoise connects to the repository I get this error message:
Unable to connect to a repository at URL 'https://svn.xxx.lan/xxx/trunk'
OPTIONS of 'https://svn.xxx.lan/xxx/trunk': Could not read status line:
SSL error: sslv3 alert certificate unknown (https://svn.xxx.lan)

It appears that Tortoise does not use the windows cert store, but an internal certificate store, how do I add the CA certificate to the store or make Tortoise prompt me to accept the certificate?

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2879153

To unsubscribe from this discussion, e-mail: [users-un...@tortoisesvn.tigris.org].

[Stefan Küng]

On Thu, Nov 17, 2011 at 09:07, Frank Breedijk
<fbre...@schubergphilis.com> wrote:
> Hello,
>
> We run an SVN repository protected with a certificate issued by our own internal CA. This CA is added to the windows certificate store and thus these certificates validate nicely when we brows to our svn repository.
>
> However when Tortoise connects to the repository I get this error message:
> Unable to connect to a repository at URL 'https://svn.xxx.lan/xxx/trunk'
> OPTIONS of 'https://svn.xxx.lan/xxx/trunk': Could not read status line:
>  SSL error: sslv3 alert certificate unknown (https://svn.xxx.lan)
>
> It appears that Tortoise does not use the windows cert store, but an internal certificate store, how do I add the CA certificate to the store or make Tortoise prompt me to accept the certificate?

you also have to add the internal CA to the cert store. Otherwise the
cert in your store can not be validated: the error does not tell you
that there is no certificate, but that the certificate (which is
there, so Subversion found it) is unknown, i.e. not verified.

Stefan

--
       ___
  oo  // \\      "De Chelonian Mobile"
 (_,\/ \_/ \     TortoiseSVN
   \ \_/_\_/>    The coolest Interface to (Sub)Version Control
   /_/   \_\     http://tortoisesvn.net

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2879197

[Frank Breedijk]

> you also have to add the internal CA to the cert store. Otherwise the
> cert in your store can not be validated: the error does not tell you
> that there is no certificate, but that the certificate (which is
> there, so Subversion found it) is unknown, i.e. not verified.

Cool, that is how I understood the message. The CA certificate *is* in the windows certificates store. Do I also need to add it to another store? If so how do I add it to this store?

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2880650

[Stefan Küng]

On 18.11.2011 17:36, Frank Breedijk wrote:
>> you also have to add the internal CA to the cert store. Otherwise the
>> cert in your store can not be validated: the error does not tell you
>> that there is no certificate, but that the certificate (which is
>> there, so Subversion found it) is unknown, i.e. not verified.
>
> Cool, that is how I understood the message. The CA certificate *is* in the windows certificates store. Do I also need to add it to another store? If so how do I add it to this store?

You also have to import the CA itself to the store and mark it as
trusted (it must show up in the CA list).

Stefan

--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2880660

[Frank Breedijk]

The certificate of the internal CA is in the windows CA list.

Does Tortoise use the windows CA list, or does it have its own CA list?
If Tortoise has its own CA list, how do I manipulate it?
Is there a web page you can refer me to (I did look for it, but could not find it)

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2880677

[Stefan Küng]

On 18.11.2011 20:50, Frank Breedijk wrote:
> The certificate of the internal CA is in the windows CA list.
>
> Does Tortoise use the windows CA list, or does it have its own CA list?
> If Tortoise has its own CA list, how do I manipulate it?
> Is there a web page you can refer me to (I did look for it, but could not find it)

TSVN uses OpenSSL and the svn library to do all that stuff.
Both OpenSSL and svn on Windows use the Windows CA list. But it has to
be configured correctly.
Please search the web on how to do that and verify that it actually works.

Stefan

--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2880678

[Frank Breedijk]

O.K. we found out what the problem was. Apparently OpenSSL uses the Windows Root CA list to validate the chain, but NOT the windows intermediate CA list.

Windows will assemble the chain for you if you have a server certificate, and have the intermediate CA certificate in the Intermediate CA store and the root certificate in the Root CA store.

OpenSSL on the other hand will not assemble the chain. Thus the chain will be incomplete and not validate.

On the server we have chained server certificate with the intermediate certificate. The server now offers both the server and the intermediate to OpenSSL and OpenSSL is able to verify it using the Root CA certificate in the Root CA store.

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2886773