Newer releases of OpenSSL return X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT instead of X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY

Tom C tomc.neon at pnl.gov
Mon Dec 28 19:57:22 EST 2009


Hello -

After upgrading my openssl library, neon fails to perform the 
accept/reject conversation.  After some debugging and bunch of playing 
around, it appears that OpenSSL 0.9.8l returns 
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, while prior versions return 
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.   Both errors, in my mind, 
should be handled similarly.

I am submitting a patch that treats X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 
the same as X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.

This problem rears its head when using subversion in my (mis-configured) 
environment.  Previously, subversion would allow me to accept an 
untrusted certificate.

A google search shows that other subversion users are experiencing the 
problem.

A svn debug conversation  follows

Running pre_send hooks
compress: Initialization.
compress: Initialization.
Sending request headers:
OPTIONS /svn/exampleproject/trunk HTTP/1.1
User-Agent: SVN/1.6.6 (r40053) neon/0.29.0
Keep-Alive:
Connection: TE, Keep-Alive
TE: trailers
Host: examplehost
Content-Type: text/xml
Accept-Encoding: gzip
DAV: http://subversion.tigris.org/xmlns/dav/svn/depth
DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo
DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops
Content-Length: XXXXX
Accept-Encoding: gzip

Sending request-line and headers:
Doing DNS lookup on examplehost...
Connecting to XXX.XXX.XXX.XXX
Doing SSL negotiation.
ssl: Verify callback @ 1 => 2
ssl: Unhandled verification error 2 -> unable to get issuer certificate
Request ends, status 0 class 0xx, error line:
SSL handshake failed: SSL error: certificate verify failed
Running destroy hooks.
Request ends.
svn: OPTIONS of 'https://examplehost/svn/exampleproject/trunk': SSL 
handshake
failed: SSL error: certificate verify failed (https://somehost)
sess: Destroying session.
sess: Destroying session.

Thanks.

~ Tom
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: issuer_cert.patch
Url: http://lists.manyfish.co.uk/pipermail/neon/attachments/20091228/94227e11/attachment.pl 


More information about the neon mailing list