[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: openssl X509 certificate based client authentification svn svncpp

From: Martin v. L÷wis <martin_at_v.loewis.de>
Date: 2003-06-21 13:07:16 CEST

"Serge Bakkal" <Serge.Bakkal@wanadoo.fr> writes:

> How would we integrate X509 certificate based client authentification (and
> then bypass the apache basic authentifications ) ?
> Has anyone begun working on this area - or did I miss something and is it
> an auth method already
> provided with subversion ? -

It's not provided in Subversion directly, but it works just fine with
mod_ssl. I recommend to read the mod_ssl documentation. Basically, you
need the directives

SSLVerifyClient require # maybe you want to use "optional"

Notice that this must be a top-level directive, i.e. it doesn't work
on the per-directory config, as SSL renegotiation just won't work with
requests that have bodies (such as PROPFIND). Therefore, we use
"optional", to allow other content to be accessed without client

You then need

SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt

to list all the CAs whose certificates you trust.

For authorization in the repository, you need SSLRequire; we use
something like

SLRequire %{SSL_CLIENT_I_DN} eq "/C=DE/L=Potsdam/O=Hasso-Plattner-Institut/OU=OSM/CN=HPI OSM Client Authentication CA" && \
  %{SSL_CLIENT_S_DN_CN} in {"Martin von Loewis", \
    "Peter Troeger", "Michael Dirska"}

Notice that with that approach, unfortunately, user names don't get
logged. I recommend that you install mod_ssl_user.c, from



To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Jun 21 13:08:26 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.