[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] ssl client certificate use

From: David Reid <david_at_jetnet.co.uk>
Date: 2005-09-11 15:31:27 CEST

The follow patch allows a user to selectively disable the use of ssl
client certificates. This fixes a problem that arises when you have a
mixed auth environment using certs and passwords. Presently whenever the
server declares it's able to accept client certificates the user is
asked to supply a filename. This patch allows a user who doesn't have a
certificate for a server to disable that requesting.

Whether this is the best way of tackling it I'm not sure.

david

--- subversion-1.2.1/subversion/include/svn_config.h Wed Apr 6
14:21:33 2005
+++ subversion-1.2.1/subversion/include/svn_config_dr.h Sun Sep 11
13:57:26 2005
@@ -69,6 +69,7 @@
 #define SVN_CONFIG_OPTION_SSL_TRUST_DEFAULT_CA "ssl-trust-default-ca"
 #define SVN_CONFIG_OPTION_SSL_CLIENT_CERT_FILE "ssl-client-cert-file"
 #define SVN_CONFIG_OPTION_SSL_CLIENT_CERT_PASSWORD
"ssl-client-cert-password"
+#define SVN_CONFIG_OPTION_SSL_CLIENT_CERTS "ssl-client-certs"

 #define SVN_CONFIG_CATEGORY_CONFIG "config"
 #define SVN_CONFIG_SECTION_AUTH "auth"
--- subversion-1.2.1/subversion/libsvn_ra_dav/session.c Fri Jul 1
17:02:13 2005
+++ subversion-1.2.1/subversion/libsvn_ra_dav/session_dr.c Sun Sep
11 13:57:04 2005
@@ -362,6 +362,7 @@
                                         int *timeout_seconds,
                                         int *neon_debug,
                                         svn_boolean_t *compression,
+ svn_boolean_t *client_certs,
                                         svn_config_t *cfg,
                                         const char *requested_host,
                                         apr_pool_t *pool)
@@ -401,6 +402,8 @@
                      SVN_CONFIG_OPTION_HTTP_TIMEOUT, NULL);
       SVN_ERR(svn_config_get_bool(cfg, compression,
SVN_CONFIG_SECTION_GLOBAL,
                                   SVN_CONFIG_OPTION_HTTP_COMPRESSION,
TRUE));
+ SVN_ERR(svn_config_get_bool(cfg, client_certs,
SVN_CONFIG_SECTION_GLOBAL,
+ SVN_CONFIG_OPTION_SSL_CLIENT_CERTS,
TRUE));
       svn_config_get(cfg, &debug_str, SVN_CONFIG_SECTION_GLOBAL,
                      SVN_CONFIG_OPTION_NEON_DEBUG_MASK, NULL);
     }
@@ -426,6 +429,9 @@
       SVN_ERR(svn_config_get_bool(cfg, compression, server_group,
                                   SVN_CONFIG_OPTION_HTTP_COMPRESSION,
                                   *compression));
+ SVN_ERR(svn_config_get_bool(cfg, client_certs, server_group,
+ SVN_CONFIG_OPTION_SSL_CLIENT_CERTS,
+ *client_certs));
       svn_config_get(cfg, &debug_str, server_group,
                      SVN_CONFIG_OPTION_NEON_DEBUG_MASK, debug_str);
     }
@@ -575,7 +581,7 @@
   ne_uri uri = { 0 };
   svn_ra_dav__session_t *ras;
   int is_ssl_session;
- svn_boolean_t compression;
+ svn_boolean_t compression, client_certs;
   svn_config_t *cfg;
   const char *server_group;

@@ -644,6 +650,7 @@
                               &timeout,
                               &debug,
                               &compression,
+ &client_certs,
                               cfg,
                               uri.host,
                               pool);
@@ -766,10 +773,13 @@
       ne_ssl_set_verify(sess, server_ssl_callback, ras);
       ne_ssl_set_verify(sess2, server_ssl_callback, ras);
       /* For client connections, we register a callback for if the server
- wants to authenticate the client via client certificate. */
-
- ne_ssl_provide_clicert(sess, client_ssl_callback, ras);
- ne_ssl_provide_clicert(sess2, client_ssl_callback, ras);
+ wants to authenticate the client via client certificate and we're
+ using client certificates. */
+ if (client_certs)
+ {
+ ne_ssl_provide_clicert(sess, client_ssl_callback, ras);
+ ne_ssl_provide_clicert(sess2, client_ssl_callback, ras);
+ }

       /* See if the user wants us to trust "default" openssl CAs. */
       trust_default_ca = svn_config_get_server_setting(

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Sep 11 15:37:12 2005

This is an archived mail posted to the Subversion Dev mailing list.