[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: commit-email.pl and client certificates

From: Ben Collins-Sussman <sussman_at_collab.net>
Date: 2005-01-27 14:34:53 CET

On Jan 27, 2005, at 4:12 AM, Graham Leggett wrote:

> Travis P said:
>
>>> b) Try using the SSL "FakeBasicAuth" directive, which I believe
>>> copies the certificate CN into the basic-auth header of the http
>>> request.
>>
>> Ben said "or," but I think you probably want "and": "Require
>> valid-user", so the challenge is always made and "FakeBasicAuth" so
>> that the basic-auth header is filled in with the full CN.
>
> Do you have an example of where this is used in practice? The httpd
> docs
> only say that the FakeBasicAuth option exists, but it makes no mention
> of
> how to use it. Simply adding the option does nothing - the author stays
> blank in the commit email - and adding require valid-user suddenly
> draws
> in the need for a separate password file (which is redundant, that's
> what
> certs and crls are for).
>
> Any ideas?
>

Why don't you show us what you're doing?

The docs (http://httpd.apache.org/docs-2.0/mod/mod_ssl.html) say that

    SSLOptions +FakeBasicAuth

..." When this option is enabled, the Subject Distinguished Name (DN)
of the Client X509 Certificate is translated into a HTTP Basic
Authorization username. This means that the standard Apache
authentication methods can be used for access control. The user name
is just the Subject of the Client's X509 Certificate (can be
determined by running OpenSSL's openssl x509 command: openssl x509
-noout -subject -in certificate.crt). Note that no password is
obtained from the user. Every entry in the user file needs this
password: ``xxj31ZMTZzkVA'', which is the DES-encrypted version of the
  word `password''. Those who live under MD5-based encryption (for
instance under FreeBSD or BSD/OS, etc.) should use the following MD5
hash of the same word: ``$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/''".

Sounds like you'll need a password file.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Thu Jan 27 14:36:41 2005

This is an archived mail posted to the Subversion Dev mailing list.