在 subversion 中绕过 ssl 证书验证 [英] bypass ssl certificate validation in subversion

问题描述

我正在管理一个基于 subversion 的构建系统，我们为服务器使用自签名 ssl.因此，有时我们会遇到构建失败，因为添加了一台新机器并且无法结帐，因为这是该机器第一次联系 svn 服务器.

I'm managing a subversion-based build system and we use a self-signed ssl for the server. So from time to time, we get build failures because a new machine has been added and it can't checkout since it's the first time for that machine to contact the svn server.

错误信息如下:

icasimpan ~$ svn ls https://scm.myserver.com/trunk
Error validating server certificate for 'https://scm.myserver.com:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: scm.myserver.com
 - Valid: from Mon, 05 Dec 2011 00:00:00 GMT until Tue, 11 Dec 2012 23:59:59 GMT
 - Issuer: Terms of use at https://www.verisign.com/rpa (c)10, VeriSign Trust Network, VeriSign, Inc., US
 - Fingerprint: c0:69:f6:67:8d:1f:d2:85:c1:94:9f:59:8e:81:cc:81:3d:1e:44:28
(R)eject, accept (t)emporarily or accept (p)ermanently? 

我通常需要的是像 curl 的 --insecure 参数.现在，我们的解决方法是只执行一些简单的 svn 命令，以便我们可以永久"回答，并且问题将得到解决......至少直到 ssl 证书再次更改/更新或构建在另一个新的机器.

What I typically need is something like --insecure parameter to curl. Right now, our workaround is to just do some simple svn command so that we could answer "permanently" to and the issue would be solved...at least until the ssl certificate gets changed/renewed again or the build is done on another new machine.

有人解决了这个问题吗?

Has someone solved this issue?

提前致谢:)

推荐答案

我猜你有两个选择；抛开所有的谨慎，从命令行设置 trust-server-cert 和非交互式:

I guess you have two options; throwing all caution overboard and setting trust-server-cert and non interactive from the command line:

 svn help co
 .... snip....
--non-interactive        : do no interactive prompting
--trust-server-cert      : accept unknown SSL server certificates without
                         prompting (but only with '--non-interactive')

另一个选项是使用带有 -showcerts 的 openssl s_client 之类的东西来检查和验证证书是否在 svn 调用之前已更改 - 然后非常干净地中止并让人类做出判断调用，或者一些肮脏的东西- 就像使用 -showcert 更新 ~/.subversion 中的已知证书一样.

and the other option is to use something like openssl s_client with -showcerts to check and validate if the cert has changed prior to the svn call -and then either abort very cleanly and let a human make the judgment call, or something dirty - like using the -showcert to update the known cert in ~/.subversion.

在任何一种情况下 - 在 ~/.subversion/auth/svn.ssl.server/<serverrecord> 中的文件上都有一些不直观的魔法 - 提取您需要的证书信息:

In either case - the bit of nonintuitive magic is on the files in ~/.subversion/auth/svn.ssl.server/<serverrecord> - to extract the cert info you need:

cat <serverrecord> | grep ^MII | base64decode  | openssl x509 -text -inform DER

或类似的东西

cat <serverrecord> | grep ^MII | base64decode  | openssl x509 -text -inform DER -noout - out current-cert.pem

然后可以使用 openssl s_client 和 -CApath 或使用该证书进行验证以查看它是否已更改和/或使用 -showcert 进行交叉检查.(注意:如果需要，将 perl -e 'use MIME::Base64;print decode_base64(join("",));' 替换为 base64decode).

and can then use openssl s_client with -CApath or verify with that cert to see if it has changed and/or use -showcert to cross check. (Note: substitute perl -e 'use MIME::Base64;print decode_base64(join("",));' for base64decode if needed).

这篇关于在 subversion 中绕过 ssl 证书验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！