[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Announcing mod_ssl_user

From: Martin v. Löwis <martin_at_v.loewis.de>
Date: 2003-06-18 22:42:07 CEST

Ben Collins-Sussman <sussman@collab.net> writes:

> So this means that Subversion repositories no longer need to require
> "Basic Auth" credentials over SSL? They have other options now?

It was always the case that you can use SSL client authentication over
mod_dav_svn. For example, our repository had for quite some time

SSLRequire %{SSL_CLIENT_I_DN} eq "/C=DE/L=Potsdam/O=Hasso-Plattner-Institut/OU=OSM/CN=HPI OSM Client Authentication CA" && \
   %{SSL_CLIENT_S_DN_CN} in { \
     "Martin von Loewis", "Peter Troeger", "Michael Dirska"}

This would allow access to all the listed users (assuming that our CA
always fills out the CN properly, which it does).

So far, even though authentication succeeded properly, Subversion
would log "(no author)", meaning that users would have to provide
Basic auth *on top of that*. This was very unfortunate, since users
were already authenticated...

With that module, no need for transmitting passwords exists anymore;
just authenticating with the SSL certificate is sufficient.

Now, if I could get SVN to use the Windows CryptoAPI certificate
storage, instead of requiring PKCS12 files read by OpenSSL...


To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Jun 18 22:43:05 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.