Discussion:
Reverting accidental permanent acceptance of SSL certificate?
Bo Berglund
2018-02-11 15:38:30 UTC
Permalink
I made a mistake when running a svn checkout towards my server!
I was *not* connected by vpn when I issued the request but rather than
having a "no connect" message I saw the certificate dialogue and since
my server uses a self-signed certificate I did not look closely but
set it to accept *permanently*....

How can I revert this? Is there a client svn command to un-accept a
certificate? All I find when googling is the opposite, i.e. how to
accept a certificate...
--
Bo Berglund
Developer in Sweden
Ralph Seichter
2018-02-11 16:16:31 UTC
Permalink
Is there a client svn command to un-accept a certificate?
It is easy to manually remove data from the "auth" directory, see
http://svnbook.red-bean.com/en/1.8/svn.serverconfig.netmodel.html

-Ralph
Philip Martin
2018-02-11 19:30:04 UTC
Permalink
Post by Bo Berglund
How can I revert this? Is there a client svn command to un-accept a
certificate? All I find when googling is the opposite, i.e. how to
accept a certificate...
Use

svn auth

to see all the stored credentials. Use

svn auth SOMEPATTERN

to show just those matching SOMEPATTERN. Use

svn auth --remove SOMEPATTERN

to remove those matching SOMEPATTERN.
--
Philip
Bo Berglund
2018-02-11 20:00:16 UTC
Permalink
On Sun, 11 Feb 2018 19:30:04 +0000, Philip Martin
Post by Philip Martin
Post by Bo Berglund
How can I revert this? Is there a client svn command to un-accept a
certificate? All I find when googling is the opposite, i.e. how to
accept a certificate...
Use
svn auth
to see all the stored credentials. Use
svn auth SOMEPATTERN
to show just those matching SOMEPATTERN. Use
svn auth --remove SOMEPATTERN
to remove those matching SOMEPATTERN.
Thanks, this helps a lot.
I have now looked into what got saved below .subversion/auth and it
seems like the bogus acceptance did not in fact make it into the auth
area while the valid certificate and login did.

I found the certificate acceptance in this file:

~/.subversion/auth/svn.ssl.server/52e60f46d8c02303aea5256b18eb7aac

It looks perfectly safe, does not contain anything especially useful.

But now now I have examined the other file I found and my svn username
and password is indeed stored in plain text in the file:

~/.subversion/auth/svn.simple/03994a04eb338a432667e51f0e0720bf

It feels like it would be a bit better if this was also "encrypted" in
some way tied to my logon for example.
The file permissions are both 664, i.e. world readable...

However the parent directory "auth" has permissions set to 700 so I
guess this is some protection at least.

Case closed. :)
--
Bo Berglund
Developer in Sweden
Daniel Shahaf
2018-02-12 11:51:34 UTC
Permalink
Post by Bo Berglund
~/.subversion/auth/svn.ssl.server/52e60f46d8c02303aea5256b18eb7aac
It looks perfectly safe, does not contain anything especially useful.
That file records the certificate itself (in standard encoding) and the
list of failures the certificate had when you permanently accepted it
(such as having expired, being self-signed, etc). If when the certificate
is next seen it has only those failures that it had last time, it won't be
prompted for again.

Loading...