[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: RFC: TLS support in svn protocol

From: David Waite <mass_at_akuma.org>
Date: 2004-07-11 14:11:23 CEST

On Jul 10, 2004, at 11:13 PM, Greg Hudson wrote:
>> the server ignores the `url' argument and responds with
>
> Here we have a dilemma. Either:
>
> * The client provides the URL before TLS negotiation, which allows
> the
> server to use a different certificate and client cert database for each
> repository, but doesn't protect the URL from eavesdropping or
> modification. (The URL could be specified again in the TLS-protected
> stream to prevent modification.) Or,
>
> * The client does not provide the URL before TLS negotiation, so the
> URL is protected. But the server's certitificate and client cert db is
> fixed for all repositories.
>
I would suggest #2.

There already an extension to TLS defined to allow supplying a server
name during the initial client 'hello' to the server, which allows the
server to choose the certificate with which to reply. I do not think
openssl supports this yet, however gnutls does.

-David Waite

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Jul 11 14:14:46 2004

This is an archived mail posted to the Subversion Dev mailing list.