Unable to add SVN repositories over HTTPS

[simonwelsh]

Trying to add a SVN repository with a HTTPS URL results in "No valid/supported repository was found at the given URL"

Using the standard http URL of the same repository works fine.

[stof]

do you have the openssl extension enabled ?

[stof]

hmm, no, it should not matter for the SvnDriver

[simonwelsh]

Forgot to mention, this is on the packigst.org site.

[stof]

@simonwelsh try adding the repo as a custom repo locally and run composer install --dry-run --verbose to see what it tells you about the repo when loading it.

{
    "repositories": [
        { "type": "vcs", "url": "https://..." }
    ]
}

[simonwelsh]

Locally, it loads fine.

$ composer install --dry-run --verbose
Loading composer repositories with package information
Reading composer.json of pocketrent/silverstripe-facebook (0.1)
Skipped tag 0.1, no composer file was found
Reading composer.json of pocketrent/silverstripe-facebook (0.2)
Skipped tag 0.2, no composer file was found
Reading composer.json of pocketrent/silverstripe-facebook (1.0)
Skipped tag 1.0, no composer file was found
Reading composer.json of pocketrent/silverstripe-facebook (1.1)
Importing tag 1.1 (1.1.0.0)
Reading composer.json of pocketrent/silverstripe-facebook (2.0)
Importing tag 2.0 (2.0.0.0)
Reading composer.json of pocketrent/silverstripe-facebook (trunk)
Importing branch trunk (dev-trunk)
Reading composer.json of pocketrent/silverstripe-facebook (2.4-support)
Importing branch 2.4-support (dev-2.4-support)
Installing dependencies
Nothing to install or update

[Seldaek]

I think it's just due to svn prompting the user to accept the ssl certificate. If there is a flag to prevent that it should be fixable.

[simonwelsh]

The SVN CLI has --trust-server-cert when using --non-interactive

[simonwelsh]

Okay, so I got SVN to forget the certificate and now the dry run gives:

$ composer install --dry-run --verbose
Loading composer repositories with package information



  [RuntimeException]                                                                                                                                                                                                                            
  Repository https://.../trunk could not be processed, svn: OPTIONS of 'https://...': Server certificate verification failed: issuer is not trusted (https://...)  




Exception trace:
 () at phar:///Users/simon/bin/composer/src/Composer/Repository/Vcs/SvnDriver.php:299
 Composer\Repository\Vcs\SvnDriver->execute() at phar:///Users/simon/bin/composer/src/Composer/Repository/Vcs/SvnDriver.php:190
 Composer\Repository\Vcs\SvnDriver->getBranches() at phar:///Users/simon/bin/composer/src/Composer/Repository/Vcs/SvnDriver.php:68
 Composer\Repository\Vcs\SvnDriver->initialize() at phar:///Users/simon/bin/composer/src/Composer/Repository/VcsRepository.php:78
 Composer\Repository\VcsRepository->getDriver() at phar:///Users/simon/bin/composer/src/Composer/Repository/VcsRepository.php:105
 Composer\Repository\VcsRepository->initialize() at phar:///Users/simon/bin/composer/src/Composer/Repository/ArrayRepository.php:158
 Composer\Repository\ArrayRepository->getPackages() at phar:///Users/simon/bin/composer/src/Composer/DependencyResolver/Pool.php:156
 Composer\DependencyResolver\Pool->addRepository() at phar:///Users/simon/bin/composer/src/Composer/Installer.php:282
 Composer\Installer->doInstall() at phar:///Users/simon/bin/composer/src/Composer/Installer.php:187
 Composer\Installer->run() at phar:///Users/simon/bin/composer/src/Composer/Command/InstallCommand.php:77
 Composer\Command\InstallCommand->execute() at phar:///Users/simon/bin/composer/vendor/symfony/console/Symfony/Component/Console/Command/Command.php:238
 Symfony\Component\Console\Command\Command->run() at phar:///Users/simon/bin/composer/vendor/symfony/console/Symfony/Component/Console/Application.php:193
 Symfony\Component\Console\Application->doRun() at phar:///Users/simon/bin/composer/src/Composer/Console/Application.php:101
 Composer\Console\Application->doRun() at phar:///Users/simon/bin/composer/vendor/symfony/console/Symfony/Component/Console/Application.php:106
 Symfony\Component\Console\Application->run() at phar:///Users/simon/bin/composer/src/Composer/Console/Application.php:74
 Composer\Console\Application->run() at phar:///Users/simon/bin/composer/bin/composer:37
 require() at /Users/simon/bin/composer:15


install [--prefer-source] [--prefer-dist] [--dry-run] [--dev] [--no-custom-installers] [--no-scripts] [--no-progress] [-v|--verbose] [-o|--optimize-autoloader]

This is on version 247b02d and is looking more like a problem with composer itself than packagist, as there doesn't seem to be a flag to have svn trust certificates.

[Seldaek]

Well packagist uses the composer code so that's to be expected. Anyway I am not sure how to best handle it. Always adding the --trust-server-cert flag always is kind of a security issue. Making it optional might be a way, but not sure if it's a good idea even on packagist to run with --trust-server-cert always on.

[simonwelsh]

So, no progress on this?

I’m curious. How is allowing arbitrary HTTPS servers any less secure than allowing arbitrary HTTP or SSH servers?

[Seldaek]

@simonwelsh I don't know if this is still an issue, but anyway the problem is people expect that if they use an https url for their svn repo it won't just accept any certificate. If we make it do that it is IMO reducing security.

[simonwelsh]

@Seldaek This is still an issue and you can achieve this without using --trust-server-cert (see this). This issue should be reopened.

[quinncomendant]

I'm experiencing this now with Composer version 1.0-dev (f1aa655) 2015-08-20 11:59:54, and svn version 1.6.11:

{q@localhost} composer install
Loading composer repositories with package information
Installing dependencies (including require-dev) from lock file
  - Installing strangecode/codebase (dev-trunk)
    Checking out /trunk/@537

  [RuntimeException]                                                                              
  Package could not be downloaded,                                                                
  svn: OPTIONS of 'https://svn.strangecode.com/codebase/trunk': Server certificate verification   
  failed: issuer is not trusted (https://svn.strangecode.com)                                     

I'm using a self-signed certificate on that repo. Is there any way to pass the --trust-server-cert to svn via composer?

[quinncomendant]

I solved the problem my connecting to the SVN repo once, and when SVN prompted me to accept the cert, I accepted it permanently, then running via composer worked:

{q@localhost} svn co https://svn.strangecode.com/codebase/trunk codebase
Error validating server certificate for 'https://svn.strangecode.com:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: svn.strangecode.com
 - Valid: from Mon, 11 Dec 2006 23:15:25 GMT until Thu, 08 Dec 2016 23:15:25 GMT
 - Issuer: Strangecode Internet Consultancy, Chico, California, US
 - Fingerprint: 10:ab:14:c8:5f:4f:97:48:6e:e6:bb:36:cc:7f:b9:dd:d2:64:42:5b
(R)eject, accept (t)emporarily or accept (p)ermanently? p
A    codebase/composer.json
A    codebase/tests
…

It would be good if composer could catch this, and display a more useful error message.