Subversion certificate error

I haven't been able to perform secure (https) Subversion checkouts or commits at SourceForge lately. I get the following error:

Certificate verification error: certificate signature failure (https://svn.code.sf.net)

Does this mean I need new certificates for AmiSSL and where can I get new AmiSSL certificates??

Hi Xenic, did you solve your problem ?

@abalaban

I don't think that Xenic has managed to solve or work around the problem, as it's more complicated than it sounds. In short, AmiSSL has slowly become to old, so you'll have to wait until it has been updated.

Hans

@abalaban
No, but Solie informed me in a similar post at the Hyperion forums (General Developer Support) that AmiSSL is being worked on and that the problem can't be solved until that's done.

Yesterday I had to work on SF.net hosted MUIbase repository, and faced the exact same problem. In order to be able to update my working copy I did the following:
- opened up in Notepad SUBVERSION:servers
- copy the following in it:

--- snip ---
[groups]
sf = *.code.sf.net

[sf]
sssl-trust-default-ca = no
--- snip ---

- save the file
- svn update in the repository you like, then approve permanently the server fingerprint and "et voilà!"

Note: I am note an OpenSSL expert, and I cannot guarantee that this does not open a breach in your AmiSSL installation, however to my understanding it deactivates default CA verification for the servers at *.code.sf.net.

@abalaban
Thanks for the tip. I'll give it a try. Since OS4 Subversion includes the sources, I wonder it would be easier to keep it current with SSL changes if it were updated to use libopenSSL instead of AmiSSL. I don't really understand how any SSL works so AmiSSL may not be the major problem.

AFAIK the reason they didn't update AmiSSL yet is some API breakage in the latest OpenSSL. If this is the case, then you are indeed better off with linking OpenSSL statically.

To anyone considering statically linking with OpenSSL on AmigaOS: Please use dynamic linking (of shared objects) instead.

AmigaOS provides the ability to link to *nix style shared objects, so you may as well use it. That way only the shared object will need to be recompiled every time OpenSSL is updated.

Hans

@BSzili

AFAIK this problem already arose some time ago with AmiSSL and they managed to resolve it using library version both in the main library and in crypto sub-libraries. This can probably be replicated somehow. Moreover seeing the AmiSSL repo it seems someones are working on it already...

@Hans

I like the AmiSSL solution because it gives a chance to have a central place where one can administrate and update its certificates and replicate them all over its HD with different versions of certificates and possible outdated ones.

Good to know. The last OpenSSL merge was in august, so I had no idea they are working on it already.

Has this been solved??

@alfkil
Xenic have workoround for : abalaban sent him the settings to let SVN ignore SSL errors. That no solution of course, but a workaround, but still you can do commits :)

I do not remember which settings are, probably xenic or abalaban can asnwer (or manual can help for)

@alfkil
Not solved as far as I know but abalaban gave instructions for a workaround in one of his posts above these latest posts. I just left the workaround in place and haven't tested if SVN works without the workaround.

@xenic

I saw it, and tried it, but I don't have a file named "servers" in my subversion: directory, and putting the text there didn't solve the problem.

I have no memory of how I initially got svn to work with the repo. So I am not really able to do a lot of jiggling here.

@alfkil

I realize this may not be the answer you are looking for, but you could also try sgit and GitHub/BitBucket if this is your own project.

@Capehill

Hey, I didn't know we had git! :) I remember trying to look into the possibility of using git, when I first started work on Qt. It seems, that the sgit implementation still has limitations. But I think, I will give it a go. Thanks!

@alfkil
My subversion: directory has always had a config file and an example server file. Maybe they came with some old Amiga Subversion release but I can't remember. However the server file was just a bunch of commented out examples and I added the lines abalaban suggested at the bottom. I would assume a newly created server file without the examples would work. Here are the lines I added to my server file:

###
[groups]
sf = *.code.sf.net

[sf]
ssl-trust-default-ca = no

I also found that the new sf.net checkout in the examples didn't work with Amiga Subversion but the old https:// method does. For example:

svn checkout https://svn.code.sf.net/p/diropus4/code/dopus4-os4/trunk diropus4

The server may still complain about certificates but will send you a fingerprint that you can accept to continue.

@xenic

It works now, I just needed to fix a folder, that accidentally got deleted. Thanks!