Re: openssl X509 certificate based client authentification svn svncpp

"Serge Bakkal" <Serge.Bakkal@wanadoo.fr> writes:

> How would we integrate X509 certificate based client authentification (and
> then bypass the apache basic authentifications ) ?
> Has anyone begun working on this area - or did I miss something and is it
> an auth method already
> provided with subversion ? -

It's not provided in Subversion directly, but it works just fine with
mod_ssl. I recommend to read the mod_ssl documentation. Basically, you
need the directives

SSLVerifyClient require # maybe you want to use "optional"

Notice that this must be a top-level directive, i.e. it doesn't work
on the per-directory config, as SSL renegotiation just won't work with
requests that have bodies (such as PROPFIND). Therefore, we use
"optional", to allow other content to be accessed without client
authentication.

You then need

SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt

to list all the CAs whose certificates you trust.

For authorization in the repository, you need SSLRequire; we use
something like

SLRequire %{SSL_CLIENT_I_DN} eq "/C=DE/L=Potsdam/O=Hasso-Plattner-Institut/OU=OSM/CN=HPI OSM Client Authentication CA" && \
  %{SSL_CLIENT_S_DN_CN} in {"Martin von Loewis", \
    "Peter Troeger", "Michael Dirska"}

Notice that with that approach, unfortunately, user names don't get
logged. I recommend that you install mod_ssl_user.c, from

http://www.dcl.hpi.uni-potsdam.de/home/loewis/mod_ssl_user.c

Regards,
Martin

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Jun 21 13:08:26 2003