SQL Source Control received an invalid HTTPS certificate

Early Access Program for SQL Source Control

Moderators: Chris Auckland, David Atkinson, sherr

SQL Source Control received an invalid HTTPS certificate

Postby jbernardini » Thu May 06, 2010 11:17 pm

My svn server uses SSL signed by an internal CA. If you browse svn via a browser you don't get any messages. However, when I try to link a database to a repository on this svn server I receive the following:

SQL Source Control received an invalid HTTPS certificate while connecting to your source control system.

It was invalid in the following ways:
- It was not issued by someone that you trust, or it has been revoked

This could mean that a hacker is impersonating your source control system. If you were expecting this error to occur, or if your system administrator tells you that is is safe to do so, then press OK. Otherwise please press Cancel.
jbernardini
 
Posts: 5
Joined: Mon Mar 03, 2008 6:55 pm

Postby DavidSimner » Fri May 07, 2010 7:01 pm

The error message from SQL Source Control means that it does not trust the SSL certificate that your Subversion server uses. Given the circumstances you describe ("signed by an internal CA") I would guess that this is because SQL Source Control doesn't know that your internal CA should be trusted.

Can I ask what web browser it works fine in?

SQL Source Control should trust all the SSL certificates that Internet Explorer trusts, so if the answer is Internet Explorer, then this is an unknown bug, and I'd very much like to work with you to understand and fix what is causing it to go wrong.

If the answer is not Internet Explorer (e.g. Firefox, Chrome, Safari, etc), then unfortunately at this time, SQL Source Control does not trust all the SSL certificates that they trust, and so I would expect the behaviour that you observed to occur. As a workaround, until we've fixed this, you can either: (1) click the OK button, or (2) configure Internet Explorer to trust your internal CA's SSL certificate.

Looking forward to hearing from you,

David
DavidSimner
 
Posts: 49
Joined: Thu Feb 04, 2010 6:05 pm

Postby jbernardini » Tue May 11, 2010 12:17 am

Hi David, it shows trusted in IE and Firefox. Since Firefox is excluded for now and it should be trusted, since IE trusts the site and you can validate the Certificate Path I'm very interested in working with you. I'm hesitant to click the OK button for fear of never being able to reproduce it.
Just let me know how you'd like to tackle this.
jbernardini
 
Posts: 5
Joined: Mon Mar 03, 2008 6:55 pm

Postby DavidSimner » Tue May 11, 2010 6:06 pm

So the thing that would be easiest for me is if I could reproduce your problem here. Would you be able to send me a copy of all of the HTTPS certificates in the chain? This will enable me to create a very similar certificate chain here, and easily debug the issue.

The following instructions will let you save the HTTPS certificate chain from Firefox 3.6.3, but hopefully they should be fairly similar for other versions:

1. Connect to the relevant server, e.g. by putting https://server/ in the address bar, and pressing enter.
2. After the page has loaded, right-click somewhere on the page.
3. Left-click the View Page Info menu item.
4. Left-click the Security tab.
5. Left-click the View Certificate button.
6. Left-click the Details tab.
7. For each one of the certificates in the Certificate Hierarchy, left-click on it to select it, and then click the Export button; the default file name should be fine, so just click the Save button.

You should now have several files, one for each one of the certificates in the Certificate Hierarchy.

If you could email me all of the files, david.simner@red-gate.com, that would be awesome :)
DavidSimner
 
Posts: 49
Joined: Thu Feb 04, 2010 6:05 pm

Postby jbernardini » Tue May 11, 2010 8:22 pm

I have sent you an email with the requested items attached. Please let me know if you don't receive it.
jbernardini
 
Posts: 5
Joined: Mon Mar 03, 2008 6:55 pm

Postby jbernardini » Tue May 18, 2010 10:49 pm

I resolved this issue by adjusting a file installed with SQL Source Control. I exported our CA certificate from the Certificate manager in pem format and saved it to my c drive. I then modified the file, %APPDATA%\\Subversion\\servers, adjusting parameter: ssl-authority-files to read: ssl-authority-files = c:\\ca.pem
jbernardini
 
Posts: 5
Joined: Mon Mar 03, 2008 6:55 pm


Return to SQL Source Control EAP

Who is online

Users browsing this forum: No registered users and 1 guest