[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Problem with SSL auth with preshared certs E120171

From: Simon D Morris <simon.d.morris_at_gb.abb.com>
Date: Sat, 18 Jan 2014 08:17:21 +0000

Stefan Küng <tortoisesvn_at_gmail.com> wrote on 17/01/2014 20:14:53:

>
> First: do not use preshared key authentication. Just don't.
> http://technet.microsoft.com/en-us/library/cc782582%28v=WS.10%29.aspx
>
> "The use of preshared key authentication is not recommended because it
> is a relatively weak authentication method. [...] In addition, preshared

> keys are stored in plaintext in the registry. In Active Directory,
> preshared keys are stored in readable hexadecimal format."
>
> So again: don't use it!
>
> Anyway: TSVN uses the default compile options for OpenSSL, which means
> the weaker algorithms all are disabled or not even compiled in. So if
> you use for example MD5 for your preshared key, then it won't work and
> never will (with TSVN) because that's not compiled into OpenSSL by
> default anymore.
>
> Also: TSVN has the CAPI engine enabled in OpenSSL which might interfere
> here in your situation. You can disable this by creating a DWORD value
> in the registry under
> HKCU\Software\TortoiseSVN\OpenSSLCapi
> and set it to 0.
> That will disable the CAPI engine.
>
> Stefan
>
> --
> ___
> oo // \\ "De Chelonian Mobile"
> (_,\/ \_/ \ TortoiseSVN
> \ \_/_\_/> The coolest interface to (Sub)version control
> /_/ \_\ http://tortoisesvn.net
>
> ------------------------------------------------------
> http://tortoisesvn.tigris.org/ds/viewMessage.do?
> dsForumId=4061&dsMessageId=3071739
>
> To unsubscribe from this discussion, e-mail: [users-
> unsubscribe_at_tortoisesvn.tigris.org].

Sorry,

I've probably misled you, (still getting to grips with SSL jargon)

I have a setup like this in apache2:

SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile conf/ssl.crt/ca.crt

i.e. I require the client to present a certificate signed by my own CA.
(The server's cert is also signed by the same CA)

That's not "Pre shared key", is it?

Does the registry hack still apply? Should I try it anyway?

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3071754

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2014-01-18 09:19:03 CET

This is an archived mail posted to the TortoiseSVN Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.