Date: Tue, 14 Jul 2015 23:08:35 +0000 (UTC) From: Glen Barber <gjb@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r46982 - head/en_US.ISO8859-1/books/handbook/mirrors Message-ID: <201507142308.t6EN8aO2001703@svnmir.geo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gjb Date: Tue Jul 14 23:08:34 2015 New Revision: 46982 URL: https://svnweb.freebsd.org/changeset/doc/46982 Log: Update the svn mirror list to reflect that svn.freebsd.org is now GeoDNS-backed, and a single, official SSL certificate is now used. In collaboration with: peter Sponsored by: The FreeBSD Foundation Modified: head/en_US.ISO8859-1/books/handbook/mirrors/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/mirrors/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/mirrors/chapter.xml Tue Jul 14 22:07:01 2015 (r46981) +++ head/en_US.ISO8859-1/books/handbook/mirrors/chapter.xml Tue Jul 14 23:08:34 2015 (r46982) @@ -617,101 +617,47 @@ Comment out for now until these can be v <para>The master &os; <application>Subversion</application> server, <systemitem class="fqdomainname">svn.FreeBSD.org</systemitem>, is - publicly accessible, read-only. That may change in the - future, so users are encouraged to use one of the official - mirrors. To view the &os; + publicly accessible, and redirects to the closest official + mirror using GeoDNS. To view the &os; <application>Subversion</application> repositories through a browser, use <link xlink:href="http://svnweb.FreeBSD.org/">http://svnweb.FreeBSD.org/</link>.</para> <note> - <para>The &os; <application>Subversion</application> mirror - network is still in its early days, and will likely change. - Do not count on this list of mirrors being static. In - particular, the <acronym>SSL</acronym> certificates of the - servers will likely change at some point.</para> + <para>The &os; <application>Subversion</application> mirrors + previously used self-signed SSL certificates documented in + this chapter. As of July 14, 2015, all mirrors now use an + official SSL certificate that will be recognized by + <application>Subversion</application> if the <filename + role="package">security/ca_root_nss</filename> port is + installed. The legacy self-signed certificates are still + available, but are now considered deprecated.</para> </note> + <para>For those without the <filename + role="package">security/ca_root_nss</filename> port + installed, the SHA1 and SHA256 fingerprints are:</para> + <informaltable> - <tgroup cols="4"> - <colspec colwidth="3*"/> + <tgroup cols="2"> + <colspec colwidth="1*"/> <colspec colwidth="1*"/> - <colspec colwidth="2*"/> - <colspec colwidth="10*"/> <thead> <row> - <entry>Name</entry> - - <entry>Protocols</entry> - - <entry>Location</entry> - - <entry><acronym>SSL</acronym> Fingerprint</entry> + <entry>Hash</entry> + <entry>Fingerprint</entry> </row> </thead> <tbody> <row> - <entry><systemitem - class="fqdomainname">svn0.us-west.FreeBSD.org</systemitem></entry> - - <entry><literal>svn</literal>, <link - xlink:href="http://svn0.us-west.FreeBSD.org/"><literal>http</literal></link>, - <link - xlink:href="https://svn0.us-west.FreeBSD.org/"><literal>https</literal></link></entry> - - <entry>USA, California</entry> - - <entry>SHA1 - <literal>1C:BD:85:95:11:9F:EB:75:A5:4B:C8:A3:FE:08:E4:02:73:06:1E:61</literal></entry> - </row> - - <row> - <entry><systemitem - class="fqdomainname">svn0.us-east.FreeBSD.org</systemitem></entry> - - <entry><literal>svn</literal>, <link - xlink:href="http://svn0.us-east.FreeBSD.org/"><literal>http</literal></link>, - <link - xlink:href="https://svn0.us-east.FreeBSD.org/"><literal>https</literal></link>, - <literal>rsync</literal></entry> - - <entry>USA, New Jersey</entry> - - <entry>SHA1 - <literal>1C:BD:85:95:11:9F:EB:75:A5:4B:C8:A3:FE:08:E4:02:73:06:1E:61</literal></entry> - </row> - - <row> - <entry><systemitem - class="fqdomainname">svn0.eu.FreeBSD.org</systemitem></entry> - - <entry><literal>svn</literal>, <link - xlink:href="http://svn0.eu.FreeBSD.org/"><literal>http</literal></link>, - <link - xlink:href="https://svn0.eu.FreeBSD.org/"><literal>https</literal></link>, - <literal>rsync</literal></entry> - - <entry>Europe, UK</entry> - - <entry>SHA1 - <literal>1C:BD:85:95:11:9F:EB:75:A5:4B:C8:A3:FE:08:E4:02:73:06:1E:61</literal></entry> + <entry>SHA1</entry> + <entry><literal>E9:37:73:80:B5:32:1B:93:92:94:98:17:59:F0:FA:A2:5F:1E:DE:B9</literal></entry> </row> <row> - <entry><systemitem - class="fqdomainname">svn0.ru.FreeBSD.org</systemitem></entry> - - <entry><literal>svn</literal>, <link - xlink:href="http://svn0.ru.FreeBSD.org/"><literal>http</literal></link>, - <link - xlink:href="https://svn0.ru.FreeBSD.org/"><literal>https</literal></link>, - <literal>rsync</literal></entry> - - <entry>Russia, Moscow</entry> - - <entry>SHA1 - <literal>F6:44:AA:B9:03:89:0E:3E:8C:4D:4D:14:F0:27:E6:C7:C1:8B:17:C5</literal></entry> + <entry>SHA256</entry> + <entry><literal>D5:27:1C:B6:55:E6:A8:7D:48:D5:0C:F0:DA:9D:51:60:D7:42:6A:F2:05:F1:8A:47:BE:78:A1:3A:72:06:92:60</literal></entry> </row> </tbody> </tgroup> @@ -723,32 +669,6 @@ Comment out for now until these can be v middle</quote> attack) or otherwise trying to send bad content to the end user.</para> - <para xml:id="svn-mirrors-fingerprint">On the first connection - to an <acronym>HTTPS</acronym> mirror, the user will be asked - to verify the server <emphasis>fingerprint</emphasis>:</para> - - <screen>Error validating server certificate for 'https://svn0.us-west.freebsd.org:443': - - The certificate is not issued by a trusted authority. Use the - fingerprint to validate the certificate manually! - - The certificate hostname does not match. -Certificate information: - - Hostname: svnmir.ysv.FreeBSD.org - - Valid: from Jul 29 22:01:21 2013 GMT until Dec 13 22:01:21 2040 GMT - - Issuer: clusteradm, FreeBSD.org, (null), CA, US (clusteradm@FreeBSD.org) - - Fingerprint: 1C:BD:85:95:11:9F:EB:75:A5:4B:C8:A3:FE:08:E4:02:73:06:1E:61 -(R)eject, accept (t)emporarily or accept (p)ermanently?</screen> - - <para>Compare the fingerprint shown to those listed in the table - above. If the fingerprint matches, the server security - certificate can be accepted temporarily or permanently. A - temporary certificate will expire after a single session with - the server, and the verification step will be repeated on the - next connection. Accepting the certificate permanently will - store the authentication credentials in - <filename>~/.subversion/auth/</filename> and the user will not - be asked to verify the fingerprint again until the certificate - expires.</para> - <para>If <literal>https</literal> cannot be used due to firewall or other problems, <literal>svn</literal> is the next choice, with slightly faster transfers. When neither can be used, use
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201507142308.t6EN8aO2001703>