Hi, Replying to myself, but it's because I've found something else related to this problem, which might be useful to others.
I had always been using the following command to get the name of the file in which my custom CA is looked for : openssl x509 -hash -noout -in myca.crt This used to give me "b903d65c" (as seen in the trace below), but on RHEL6 is gives "c3314365". This is apparently because openssl now uses a new hash mechanism, and since I was dynamically generating a symlink using the value returned by openssl, that symlink was now different with openssl being run on RHEL6. The changes as seen in the --help output : -subject_hash - print subject hash value -subject_hash_old - print old-style (MD5) subject hash value -issuer_hash - print issuer hash value -issuer_hash_old - print old-style (MD5) issuer hash value -hash - synonym for -subject_hash Using -subject_hash_old gives me the same hash RHEL5 does. I hope this might help others prevent some breakage :-) Matthias Matthias Saou wrote : > Hi, > > I can't seem to figure out the proper clean way to have the svn CLI > client trust all https URLs using certificates signed by an internal > CA. With RHEL5, it was easy : > > $ strace svn co https://myserver/repo/ 2>&1 | grep pki > open("/etc/pki/tls/cert.pem", O_RDONLY) = 3 > open("/etc/pki/tls/cert.pem", O_RDONLY) = 3 > stat("/etc/pki/tls/certs/b903d65c.0", 0x7fff7f839980) = -1 ENOENT (No > such file or directory) > > The SSL library being used looked for a CA certificate named after a > hash specific to that certificate (which you got with openssl x509 > -hash -noout -in myca.crt). With RHEL6 this happens no more : > > $ strace svn co https://myserver/repo/ 2>&1 | grep pki > open("/etc/pki/tls/certs/ca-bundle.crt", O_RDONLY) = 4 > open("/etc/pki/tls/certs/ca-bundle.crt", O_RDONLY) = 4 > > Appending my CA's certificate to ca-bundle.crt works of course, but > it's a much more fragile and less elegant solution. Does anyone know > what the proper way is now? > > Matthias > -- Clean custom Red Hat Linux rpm packages : http://freshrpms.net/ Fedora release 14 (Laughlin) - Linux kernel 2.6.35.11-83.fc14.x86_64 Load : 0.00 0.02 0.10 _______________________________________________ rhelv6-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv6-list
