brew cannot fetch subversion over HTTPS on Mojave

The system subversion on macOS 10.14 does not accept the certificate:

$ svn checkout https://svn.code.sf.net/p/spimsimulator/code
Error validating server certificate for 'https://svn.code.sf.net:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: code.sf.net
 - Valid: from Aug 14 23:27:21 2018 GMT until Nov 12 23:27:21 2018 GMT
 - Issuer: Let's Encrypt Authority X3, Let's Encrypt, US
 - Fingerprint: 98:EC:30:AC:FE:35:49:7D:3C:31:96:98:E6:CB:D8:94:05:EC:84:0B
(R)eject, accept (t)emporarily or accept (p)ermanently? ^C
svn: E170013: Unable to connect to a repository at URL 'https://svn.code.sf.net/p/spimsimulator/code'

$ svn --version
svn, version 1.10.0 (r1827917)
   compiled Aug  8 2018, 02:29:47 on x86_64-apple-darwin17.0.0

Copyright (C) 2018 The Apache Software Foundation.
This software consists of contributions made by many people;
see the NOTICE file for more information.
Subversion is open source software, see http://subversion.apache.org/

The following repository access (RA) modules are available:

* ra_svn : Module for accessing a repository using the svn network protocol.
  - with Cyrus SASL authentication
  - handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
  - handles 'file' scheme
* ra_serf : Module for accessing a repository via WebDAV protocol using serf.
  - using serf 1.3.9 (compiled with 1.3.9)
  - handles 'http' scheme
  - handles 'https' scheme

The following authentication credential caches are available:

* Plaintext cache in /Users/fx/.subversion
* GPG-Agent
* Mac OS X Keychain

Speaking of High Sierra: System svn is redirected to the copy inside Xcode. It uses serf for communication, which in turn uses LibreSSL for crypto. System provides two versions of the latter, serf links to the older one libcrypto.35.dylib/libssl.35.dylib (in /usr/lib). These seem to be based on LibreSSL 2.2.x. The newer (unused) version is 2.5. What root certificate store they use? Maybe /private/etc/ssl/cert.pem or do they read from the native database?

Question how this build setup was modified in Mojave. Perhaps it's being linked again to the still distributed 0.9.7/0.9.8 OpenSSL libraries? Or a wrong cert store?

On Mojave, with the Xcode 10 beta:

einstein:~ fx$ otool -L /Applications/Xcode.app/Contents/Developer/usr/bin/svn
/Applications/Xcode.app/Contents/Developer/usr/bin/svn:
    @rpath/libsvn_client-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_wc-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_ra-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_diff-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_ra_local-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_repos-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_fs-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_fs_fs-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_fs_x-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_fs_util-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_ra_svn-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    /usr/lib/libsasl2.2.dylib (compatibility version 3.0.0, current version 3.15.0)
    @rpath/libsvn_ra_serf-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libserf-1.0.dylib (compatibility version 1.3.0, current version 1.3.9)
    @rpath/libsvn_delta-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_subr-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    /usr/lib/libexpat.1.dylib (compatibility version 7.0.0, current version 8.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.11)
    /usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 274.18.0)
    /usr/lib/libaprutil-1.0.dylib (compatibility version 4.0.0, current version 4.0.0)
    /usr/lib/libapr-1.0.dylib (compatibility version 5.0.0, current version 5.8.0)
    /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices (compatibility version 1.0.0, current version 929.1.0)
    /System/Library/Frameworks/Security.framework/Versions/A/Security (compatibility version 1.0.0, current version 58286.200.213)
    /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1549.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.200.5)
einstein:~ fx$ otool -L /Applications/Xcode.app/Contents/Developer/usr/lib/libserf-1.0.dylib
/Applications/Xcode.app/Contents/Developer/usr/lib/libserf-1.0.dylib:
    @rpath/libserf-1.0.dylib (compatibility version 1.3.0, current version 1.3.9)
    /usr/lib/libcrypto.35.dylib (compatibility version 36.0.0, current version 36.0.0)
    /usr/lib/libssl.35.dylib (compatibility version 36.0.0, current version 36.0.0)
    /usr/lib/libapr-1.0.dylib (compatibility version 5.0.0, current version 5.8.0)
    /usr/lib/libaprutil-1.0.dylib (compatibility version 4.0.0, current version 4.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.11)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.200.5)
einstein:~ fx$ ls /usr/lib/libcrypto.*
/usr/lib/libcrypto.0.9.7.dylib  /usr/lib/libcrypto.41.dylib
/usr/lib/libcrypto.0.9.8.dylib  /usr/lib/libcrypto.42.dylib
/usr/lib/libcrypto.35.dylib /usr/lib/libcrypto.dylib
einstein:~ fx$ ls /usr/lib/libssl.*
/usr/lib/libssl.0.9.7.dylib /usr/lib/libssl.43.dylib
/usr/lib/libssl.0.9.8.dylib /usr/lib/libssl.44.dylib
/usr/lib/libssl.35.dylib    /usr/lib/libssl.dylib

On High Sierra it has the same structure:

$ otool -L /Applications/Xcode.app/Contents/Developer/usr/bin/svn
/Applications/Xcode.app/Contents/Developer/usr/bin/svn:
    @rpath/libsvn_client-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_wc-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_ra-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_diff-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_ra_local-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_repos-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_fs-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_fs_fs-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_fs_x-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_fs_util-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_ra_svn-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_ra_serf-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libserf-1.0.dylib (compatibility version 1.3.0, current version 1.3.9)
    @rpath/libsvn_delta-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    @rpath/libsvn_subr-1.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    /usr/lib/libexpat.1.dylib (compatibility version 7.0.0, current version 8.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.11)
    /usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 274.8.0)
    /usr/lib/libaprutil-1.0.dylib (compatibility version 4.0.0, current version 4.0.0)
    /usr/lib/libapr-1.0.dylib (compatibility version 5.0.0, current version 5.8.0)
    /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices (compatibility version 1.0.0, current version 822.28.0)
    /System/Library/Frameworks/Security.framework/Versions/A/Security (compatibility version 1.0.0, current version 58286.50.210)
    /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1452.20.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.50.4)
$ otool -L /Applications/Xcode.app/Contents/Developer/usr/lib/libserf-1.0.dylib
/Applications/Xcode.app/Contents/Developer/usr/lib/libserf-1.0.dylib:
    @rpath/libserf-1.0.dylib (compatibility version 1.3.0, current version 1.3.9)
    /usr/lib/libcrypto.35.dylib (compatibility version 36.0.0, current version 36.0.0)
    /usr/lib/libssl.35.dylib (compatibility version 36.0.0, current version 36.0.0)
    /usr/lib/libapr-1.0.dylib (compatibility version 5.0.0, current version 5.8.0)
    /usr/lib/libaprutil-1.0.dylib (compatibility version 4.0.0, current version 4.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.11)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.50.4)
$ ls /usr/lib/libcrypto.*
/usr/lib/libcrypto.0.9.7.dylib  /usr/lib/libcrypto.0.9.8.dylib
/usr/lib/libcrypto.35.dylib /usr/lib/libcrypto.41.dylib 
/usr/lib/libcrypto.dylib
$ ls /usr/lib/libssl.*
/usr/lib/libssl.0.9.7.dylib /usr/lib/libssl.0.9.8.dylib 
/usr/lib/libssl.35.dylib    /usr/lib/libssl.43.dylib    
/usr/lib/libssl.dylib

So it may be either a minor version breakage in one of the libs, a system lib breakage (unlikely), or a different root CA list, though Let's Encrypt should be pretty much supported by anything from the last two years either via cross-sign or their native root. That's a wide problem space.

A quick take on impacted formula in homebrew-core:

$ rg 'svn:' | rg 'url' | awk '{print $1}' | sort -u
Formula/moc.rb:
Formula/mplayer.rb:
Formula/pcre.rb:
Formula/smpeg.rb:
Formula/smpeg2.rb:
Formula/xmoto.rb:

$ rg 'svn:' | rg 'head' | awk '{print $1}' | sort -u
Formula/abuse.rb:
Formula/pcre2.rb:
Formula/smpeg2.rb:

$ rg 'svn.code.sf.net' | rg 'url' | awk '{print $1}' | sort -u
Formula/acme.rb:
Formula/ctags.rb:
Formula/dosbox.rb:
Formula/fuego.rb:
Formula/fuse-emulator.rb:
Formula/lcs.rb:
Formula/libspectrum.rb:
Formula/netpbm.rb:
Formula/spim.rb:
Formula/xu4.rb:

$ rg ':using => :svn' | rg 'url' | awk '{print $1}' | sort -u
Formula/clang-format.rb:
Formula/np2.rb:

Formula/abuse.rb:
Formula/acme.rb:
Formula/clang-format.rb:
Formula/ctags.rb:
Formula/dosbox.rb:
Formula/fuego.rb:
Formula/fuse-emulator.rb:
Formula/lcs.rb:
Formula/libspectrum.rb:
Formula/moc.rb:
Formula/mplayer.rb:
Formula/netpbm.rb:
Formula/np2.rb:
Formula/pcre.rb:
Formula/pcre2.rb:
Formula/smpeg.rb:
Formula/smpeg2.rb:
Formula/spim.rb:
Formula/xmoto.rb:
Formula/xu4.rb:

About 20 formula by this haphazard method.

Yes, it isn't Sourceforge-specific. With Mojave, SVN via HTTPS seems to have broken altogether. Reason for failing is 'Unknown Authority'. It works correctly with Homebrew Subversion (/usr/local/opt/subversion/bin/svn) though.

Submitted a Radar (#44766737). Just speculating, but this may have something to do with Subversion support being removed from Xcode 10 UI.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

Apple responded this (to my specific radar #44766737):
"Our engineers haven't been able to successfully reproduce the reported behavior with the information provided."

The single line to reproduce this, is:

/Applications/Xcode.app/Contents/Developer/usr/bin/svn co https://github.com/apple/swift-cmark/trunk

Assuming that Apple have tried this and it didn't actually fail on their system, behaviour may depend on the environment. If somebody can try reproducing this on a freshly installed Mojave system, it may give some useful clues.

(On my system, it keeps failing after yesterday's Xcode release 10.1 as well.)

Yes, I sent that response about three weeks ago. Specifically, what I said was:

2018.10.08, 01:25 Jeremy Sequoia:
subversion uses libserf which uses libressl-2.2 due to needing to support macOS 10.13:
/usr/lib/libcrypto.35.dylib (compatibility version 36.0.0, current version 36.0.0)
/usr/lib/libssl.35.dylib (compatibility version 36.0.0, current version 36.0.0)

$ /usr/bin/openssl version
LibreSSL 2.2.7

^^^ Updated to use libressl-2.2's binary for testing below

$ /usr/bin/openssl s_client -showcerts -connect github.com:443
CONNECTED(00000006)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
-----BEGIN CERTIFICATE-----
MIIHQjCCBiqgAwIBAgIQCgYwQn9bvO1pVzllk7ZFHzANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE4MDUwODAwMDAwMFoXDTIwMDYwMzEy
MDAwMFowgccxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
Ewc1MTU3NTUwMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQG
A1UEBxMNU2FuIEZyYW5jaXNjbzEVMBMGA1UEChMMR2l0SHViLCBJbmMuMRMwEQYD
VQQDEwpnaXRodWIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
xjyq8jyXDDrBTyitcnB90865tWBzpHSbindG/XqYQkzFMBlXmqkzC+FdTRBYyneZ
w5Pz+XWQvL+74JW6LsWNc2EF0xCEqLOJuC9zjPAqbr7uroNLghGxYf13YdqbG5oj
/4x+ogEG3dF/U5YIwVr658DKyESMV6eoYV9mDVfTuJastkqcwero+5ZAKfYVMLUE
sMwFtoTDJFmVf6JlkOWwsxp1WcQ/MRQK1cyqOoUFUgYylgdh3yeCDPeF22Ax8AlQ
xbcaI+GwfQL1FB7Jy+h+KjME9lE/UpgV6Qt2R1xNSmvFCBWu+NFX6epwFP/JRbkM
fLz0beYFUvmMgLtwVpEPSwIDAQABo4IDeTCCA3UwHwYDVR0jBBgwFoAUPdNQpdag
re7zSmAKZdMh1Pj41g8wHQYDVR0OBBYEFMnCU2FmnV+rJfQmzQ84mqhJ6kipMCUG
A1UdEQQeMByCCmdpdGh1Yi5jb22CDnd3dy5naXRodWIuY29tMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0
oDKgMIYuaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItZXYtc2VydmVyLWcy
LmNybDA0oDKgMIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItZXYtc2Vy
dmVyLWcyLmNybDBLBgNVHSAERDBCMDcGCWCGSAGG/WwCATAqMCgGCCsGAQUFBwIB
FhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAcGBWeBDAEBMIGIBggrBgEF
BQcBAQR8MHowJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBS
BggrBgEFBQcwAoZGaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0
U0hBMkV4dGVuZGVkVmFsaWRhdGlvblNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAA
MIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCkuQmQtBhYFIe7E6LMZ3AKPDWY
BPkb37jjd80OyA3cEAAAAWNBYm0KAAAEAwBHMEUCIQDRZp38cTWsWH2GdBpe/uPT
Wnsu/m4BEC2+dIcvSykZYgIgCP5gGv6yzaazxBK2NwGdmmyuEFNSg2pARbMJlUFg
U5UAdgBWFAaaL9fC7NP14b1Esj7HRna5vJkRXMDvlJhV1onQ3QAAAWNBYm0tAAAE
AwBHMEUCIQCi7omUvYLm0b2LobtEeRAYnlIo7n6JxbYdrtYdmPUWJQIgVgw1AZ51
vK9ENinBg22FPxb82TvNDO05T17hxXRC2IYAdgC72d+8H4pxtZOUI5eqkntHOFeV
CqtS6BqQlmQ2jh7RhQAAAWNBYm3fAAAEAwBHMEUCIQChzdTKUU2N+XcqcK0OJYrN
8EYynloVxho4yPk6Dq3EPgIgdNH5u8rC3UcslQV4B9o0a0w204omDREGKTVuEpxG
eOQwDQYJKoZIhvcNAQELBQADggEBAHAPWpanWOW/ip2oJ5grAH8mqQfaunuCVE+v
ac+88lkDK/LVdFgl2B6kIHZiYClzKtfczG93hWvKbST4NRNHP9LiaQqdNC17e5vN
HnXVUGw+yxyjMLGqkgepOnZ2Rb14kcTOGp4i5AuJuuaMwXmCo7jUwPwfLe1NUlVB
Kqg6LK0Hcq4K0sZnxE8HFxiZ92WpV2AVWjRMEc/2z2shNoDvxvFUYyY1Oe67xINk
myQKc+ygSBZzyLnXSFVWmHr3u5dcaaQGGAR42v6Ydr4iL38Hd4dOiBma+FXsXBIq
WUjbST4VXmdaol7uzFMojA4zkxQDZAvF5XgJlAFadfySna/teik=
-----END CERTIFICATE-----
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
-----BEGIN CERTIFICATE-----
MIIEtjCCA56gAwIBAgIQDHmpRLCMEZUgkmFf4msdgzANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowdTEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTE0MDIGA1UEAxMrRGlnaUNlcnQgU0hBMiBFeHRlbmRlZCBW
YWxpZGF0aW9uIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBANdTpARR+JmmFkhLZyeqk0nQOe0MsLAAh/FnKIaFjI5j2ryxQDji0/XspQUY
uD0+xZkXMuwYjPrxDKZkIYXLBxA0sFKIKx9om9KxjxKws9LniB8f7zh3VFNfgHk/
LhqqqB5LKw2rt2O5Nbd9FLxZS99RStKh4gzikIKHaq7q12TWmFXo/a8aUGxUvBHy
/Urynbt/DvTVvo4WiRJV2MBxNO723C3sxIclho3YIeSwTQyJ3DkmF93215SF2AQh
cJ1vb/9cuhnhRctWVyh+HA1BV6q3uCe7seT6Ku8hI3UarS2bhjWMnHe1c63YlC3k
8wyd7sFOYn4XwHGeLN7x+RAoGTMCAwEAAaOCAUkwggFFMBIGA1UdEwEB/wQIMAYB
Af8CAQAwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRp
Z2ljZXJ0LmNvbTBLBgNVHR8ERDBCMECgPqA8hjpodHRwOi8vY3JsNC5kaWdpY2Vy
dC5jb20vRGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZSb290Q0EuY3JsMD0GA1UdIAQ2
MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5j
b20vQ1BTMB0GA1UdDgQWBBQ901Cl1qCt7vNKYApl0yHU+PjWDzAfBgNVHSMEGDAW
gBSxPsNpA/i/RwHUmCYaCALvY2QrwzANBgkqhkiG9w0BAQsFAAOCAQEAnbbQkIbh
hgLtxaDwNBx0wY12zIYKqPBKikLWP8ipTa18CK3mtlC4ohpNiAexKSHc59rGPCHg
4xFJcKx6HQGkyhE6V6t9VypAdP3THYUYUN9XR3WhfVUgLkc3UHKMf4Ib0mKPLQNa
2sPIoc4sUqIAY+tzunHISScjl2SFnjgOrWNoPLpSgVh5oywM395t6zHyuqB8bPEs
1OG9d4Q3A84ytciagRpKkk47RpqF/oOi+Z6Mo8wNXrM9zwR4jxQUezKcxwCmXMS1
oVWNWlZopCJwqjyBcdmdqEU79OX2olHdx3ti6G8MdOu42vi/hw15UJGQmxg7kVkn
8TUoE6smftX3eg==
-----END CERTIFICATE-----
---
Server certificate
subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3582 bytes and written 444 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: A40C2F312A32C9D51DE3A242B6E7A21DD51413AEF29D3D51ED8F4E2E8DCA6803
    Session-ID-ctx: 
    Master-Key: AAC27901AE51C02385433EE849213E3AA5CE5C8BD11BDC24B05DC92E8B32C7BB83CC4A0269D2A66D19D7EC79B4862904
    Start Time: 1538987016
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

I'm also able to checkout that repo without issue.

If someone can join me on slack, that will help turnaround delays.

@jeremyhu Thanks! Sent you a DM on Slack.

Not sure why the difference, can still reproduce the issue with Xcode 10.1 on macOS 10.14:

$ /Applications/Xcode.app/Contents/Developer/usr/bin/svn ls https://github.com/apple/swift-cmark/trunk

Error validating server certificate for 'https://github.com:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: github.com
 - Valid: from May  8 00:00:00 2018 GMT until Jun  3 12:00:00 2020 GMT
 - Issuer: DigiCert SHA2 Extended Validation Server CA, www.digicert.com, DigiCert Inc, US
 - Fingerprint: CA:06:F5:6B:25:8B:7A:0D:4F:2B:05:47:09:39:47:86:51:15:19:84
(R)eject, accept (t)emporarily or accept (p)ermanently?

Same failure here with Xcode 10.1 and macOS 10.14.

/usr/bin/openssl version output:

LibreSSL 2.6.4

Confirmed on macOS 10.14.1 with Xcode 10.1 or command-line tools 10.1

Updated my above comments with the radar number.

I also got a new response saying to retry with latest macOS version (and repeated to report a way to reproduce it). That update is downloading at a very slow pace right now, so in the meantime I linked the above report of @fxcoudert.

Reproducing this is _very_ simple (running a single, Apple-supplied binary) and shouldn't normally depend on other installed software, environment or configuration, so I'm a bit at loss what else to suggest to Apple. Especially, assuming that the problem also affects Mojave CI build machines.

I can also confirm, now with macOS 10.14.1 installed, that the problem persists. (Using the same trigger command, with Xcode 10.1)

The answer to the problem is that Xcode's svn is built against an older LibreSSL version (libcrypto.35.dylib, shipping with Mojave and previous macOS releases). On Mojave, this older LibreSSL is built with a default CA bundle path _other than_ /private/etc/ssl/cert.pem, thus pointing to a file that is missing from production installs.

It can be fixed using these commands, though sudo is required:

sudo mkdir -p /usr/local/libressl-2.2/etc/ssl/
sudo ln -s /private/etc/ssl/cert.pem /usr/local/libressl-2.2/etc/ssl/

(Maybe Homebrew could use this workaround? I'm not sure.)

I've been experimenting with a non-sudo alternative, namely svn option --config-option servers:global:ssl-authority-files=/private/etc/ssl/cert.pem, but this option doesn't accept bundles, only individual certificates, so it didn't solve the problem. It makes sense that it's not trivial to override the default CA bundle with non-admin credentials though.

Short of such workaround, we'll need to wait for a next Mojave release.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

~Mojave 10.14.2 fixed the issue. Thank you @jeremyhu!~

Well, bummer, I was wrong, 10.14.2 didn't fix this :( I just left the above cited workaround enabled, and forgot about it.

No, it doesn't. I pushed for it but lost. It is fixed in the 10.14.3 beta.