I'm trying to tackle issue 650, starting with SSL server certificate
validation, moving to client certificate authentication. (CRL support
isn't planned for now, partially because I don't need it and partially
because neon doesn't support them; I'm also attempting to only use the
neon-exposed functions for ssl, rather than directly including openssl).
With SSL server certificate validation, I need to know where to find the
.pem-encoded list of trusted certificate authorities. Here is what I'm
planning so far:
- a ssl-authorities-file configuration value pointing to a file
containing a list of certificate authority public certificates.
- a ignore-ssl-invalid-date configuration value for ra_dav, to ignore
errors dealing with expiry (and also errors dealing with the certificate
start date being in the future). This should be for both the server
certificate and CA.
- a ignore-ssl-unknown-ca configuration value for ra_dav, to ignore
server certificates not signed by one of the CAs listed. This will
happen everytime if there is no ssl authorities file configed.
- a ignore-ssl-host-mismatch configuration value for ra_dav, to ignore
the server certificate not matching the requested hostname.
I assume all of these should be in the servers file. Other than names
above, there are a couple of issues I'm seeking feedback on:
- should ssl-authorities-file have a default if not specified? If so,
what should this be across platforms?
- should ignore-ssl-host-mismatch allow you to specify an alternate
hostname to match against the server certificate CN?
- should there be prompting on the above errors?
-David Waite
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Oct 14 02:16:12 2006