[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Review requested on issue #2410 (SSL client certs option)

From: Joe Orton <jorton_at_redhat.com>
Date: Fri, 27 Jun 2008 16:26:49 +0100

On Thu, Jun 26, 2008 at 12:27:32PM -0400, Karl Fogel wrote:
> Add a configuration setting to allow the user to tell Subversion that
> they don't have any SSL client certificates. This option can be set
> globally or in a [server] block.

The current behaviour (svn prompting for a filename when an SSL client
cert is requested) is pretty unusual - I don't know why it works like
this. I can't think of a common use case where the behaviour is
particularly useful, and certainly there are lots where it is actively
unhelpful, e.g. as per the referenced bug.

If you are using an SSL server which requires client cert auth, you will
most likely have configured that beforehand. If you are using it
regularly you certainly won't be typing in that filename every commit.

If you are using such a server, and you *don't know* that it requires
client cert auth, chances are you don't have one.

If you're using some global-ish PKI with lots of servers which might
require client cert auth, you will have configured that beforehand too.

Rather than pushing yet-more config knobs down into ra_* I would suggest
adding a config toggle which only adds the prompting provider if a
config boolean is enabled (but is off by default). That would solve
this bug and make the default behaviour correct to boot. Possible
problems:

1) this is arguably a backwards compat break, but it's not like this is
going to break scripts since it's only removing a case which always
requires interactive input.

2) the default error for the "SSL server requested a client cert but
none was provided" is probably an obscure SSL error message; this is the
only real value of the current prompt. This could probably be improved.

Thoughts?

joe

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-06-27 17:27:06 CEST

This is an archived mail posted to the Subversion Dev mailing list.