svn - bypass ssl certificate validation in subversion

Question

I'm managing a subversion-based build system and we use a self-signed ssl for the server. So from time to time, we get build failures because a new machine has been added and it can't checkout since it's the first time for that machine to contact the svn server.

The error message is like:

icasimpan ~$ svn ls https://scm.myserver.com/trunk
Error validating server certificate for 'https://scm.myserver.com:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: scm.myserver.com
 - Valid: from Mon, 05 Dec 2011 00:00:00 GMT until Tue, 11 Dec 2012 23:59:59 GMT
 - Issuer: Terms of use at https://www.verisign.com/rpa (c)10, VeriSign Trust Network, VeriSign, Inc., US
 - Fingerprint: c0:69:f6:67:8d:1f:d2:85:c1:94:9f:59:8e:81:cc:81:3d:1e:44:28
(R)eject, accept (t)emporarily or accept (p)ermanently? 

What I typically need is something like --insecure parameter to curl. Right now, our workaround is to just do some simple svn command so that we could answer "permanently" to and the issue would be solved...at least until the ssl certificate gets changed/renewed again or the build is done on another new machine.

Has someone solved this issue?

Thanks in advance :)

Answer 1

I guess you have two options; throwing all caution overboard and setting trust-server-cert and non interactive from the command line:

 svn help co
 .... snip....
--non-interactive        : do no interactive prompting
--trust-server-cert      : accept unknown SSL server certificates without
                         prompting (but only with '--non-interactive')

and the other option is to use something like openssl s_client with -showcerts to check and validate if the cert has changed prior to the svn call -and then either abort very cleanly and let a human make the judgment call, or something dirty - like using the -showcert to update the known cert in ~/.subversion.

In either case - the bit of nonintuitive magic is on the files in ~/.subversion/auth/svn.ssl.server/<serverrecord> - to extract the cert info you need:

cat <serverrecord> | grep ^MII | base64decode  | openssl x509 -text -inform DER

or something like

cat <serverrecord> | grep ^MII | base64decode  | openssl x509 -text -inform DER -noout - out current-cert.pem

and can then use openssl s_client with -CApath or verify with that cert to see if it has changed and/or use -showcert to cross check. (Note: substitute perl -e 'use MIME::Base64;print decode_base64(join("",));' for base64decode if needed).