Prabhu Gnana Sundar wrote on Fri, Sep 02, 2011 at 11:54:29 +0530: > On Monday 22 August 2011 09:37 AM, Prabhu Gnana Sundar wrote: > >On Thursday 18 August 2011 06:46 PM, Daniel Shahaf wrote: > >>I tried your patch against > >>https://svn.eu.apache.org/repos/asf/subversion/README > >>(which uses a non-self-signed cert, but rather one for which the cert's > >>hostname differs from the URI's hostname), and it didn't seem to work: > >> > >>[[[ > >> ./tools/examples/get-location-segments.py > >>https://svn.eu.apache.org/repos/asf/subversion/README > >>Untrusted cert details are as follows: > >>-------------------------------------- > >>Issuer : 07969287, > >>http://certificates.godaddy.com/repository, GoDaddy.com, Inc., > >>Scottsdale, Arizona, US > >>Hostname : svn.apache.org > >>ValidFrom : Thu, 13 Nov 2008 18:56:12 GMT > >>ValidUpto : Thu, 26 Jan 2012 14:18:55 GMT > >>Fingerprint: cc:54:a4:a9:ec:3a:9b:1c:23:ac:2d:57:c6:96:9f:5f:4a:1d:2d:86 > >> > >>accept (t)temporarily (p)permanently: t > >>Traceback (most recent call last): > >> File "./tools/examples/get-location-segments.py", line 147, > >>in<module> > >> main() > >> File "./tools/examples/get-location-segments.py", line 142, in main > >> ra_session = ra.open(url, ra_callbacks, None, ctx.config) > >> File "/usr/lib/pymodules/python2.6/libsvn/ra.py", line 534, > >>in svn_ra_open > >> return _ra.svn_ra_open(*args) > >>svn.core.SubversionException: ("OPTIONS of > >>'https://svn.eu.apache.org/repos/asf/subversion/README': Server > >>certificate verification failed: certificate issued for a > >>different hostname (https://svn.eu.apache.org)", 175002) > >>zsh: exit 1 ./tools/examples/get-location-segments.py > >>]]] > >> > >>What am I missing? > >> > > > >Something interesting... It is failing for me only with neon, but > >working fine with serf, seeing some inconsistencies here... > > Observations after immense exploration by Vijay and me... > > I am using OpenSSL0.9.8o and Neon0.27. The problem is that this > version of OpenSSL does not have the SNI support whereas this > version of neon has a (broken) default SNI support. > > This has been fixed in OpenSSL1.0.0d and Neon0.28.
I used OpenSSL 0.9.8o and Neon 0.29.3, so that should explain the errors I saw. Thanks!
