<html>#1812: GetComponents needs to come with (a selected few) trusted certificates
<table style='border-spacing: 1ex 0pt; '>
<tr><td style='text-align:right'> Reporter:</td><td>Frank Löffler</td></tr>
<tr><td style='text-align:right'> Status:</td><td>wontfix</td></tr>
<tr><td style='text-align:right'>Milestone:</td><td></td></tr>
<tr><td style='text-align:right'> Version:</td><td>development version</td></tr>
<tr><td style='text-align:right'> Type:</td><td>enhancement</td></tr>
<tr><td style='text-align:right'> Priority:</td><td>minor</td></tr>
<tr><td style='text-align:right'>Component:</td><td>GetComponents</td></tr>
</table>
<p>Changes (by Roland Haas):</p>
<p><table>
<tr><td>status:</td><td>wontfix (was new)</td></tr>
</table></p>
<p>Most encrypted connections use some form of certificates. We use both ssl for subversion and git. The problem with certificates is that the certificate of the root CA has to be trusted by a client to be able to form a trusted connection. Otherwise users get warnings, and either cannot connect at all, or have to manually approve. We don't want both happening with GetComponents.</p>
<p>Root CA certificates have to be changed from time to time. They have a limited life time. In addition, there is a big movement away from SHA-1 certificates right now, as this has been found weak. The problem with that is that an updated root CA might not have it made to all (or at least most) clients at the time a user might have to trust it. Usually, root CAs are created, but not actually used for some time for that reason. Security problems like SHA-1 interfere with that. All this is nothing we can change.</p>
<p>So, in the light of root CAs possibly faster changing than clients update (and especially supercomputers update slowly in particular), we have to have a mechanism to make GetComponents still work 'out of the box' with these - no matter what the protocol is that actually uses it.</p>
<p>Right now, we only seem to have problems with svn, but in the future we might have the same problem with git (bitbuckets root CA is still using SHA-1).</p>
<p>For Subversion I propose the following. We ship 'too new' certificates with GetComponents (in-source, to still have one file). We then write this to a temporary file during checkout, and use the following option to svn to get it to accept it:</p>
<div class="codehilite"><pre><span></span>--config-option servers:global:ssl-authority-files=<FILE>
</pre></div>
<p>This mechanism was tested manually on one of the problematic machines (stampede), with one of the problematic certs (InCommon).</p>
<p>This only works for svn version 1.6 and newer. Most installations should have that. In case we encounter an older one we could disable trusted cert checking for problematic cases using
<p>--<br/>
Ticket URL: <a href='https://bitbucket.org/einsteintoolkit/tickets/issues/1812/getcomponents-needs-to-come-with-a'>https://bitbucket.org/einsteintoolkit/tickets/issues/1812/getcomponents-needs-to-come-with-a</a></p>
</html>