[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

svnserve client authentication using certificates

From: Sigfred Håversen <bsdlist_at_mumak.com>
Date: 2004-10-31 21:22:38 CET

To my previous svnserve SSL patch, I've added authentication using client
certificates. However, client management of certificates remains to be done
and I'm unsure on how to proceed. More on that below.

A SSL enabled svnserve will now accept clients that does not have that
capability, or does not want to use it. An exception, of course, is
authentication using certificates. If both svnserve and the client supports
ssl, a SSL handshake will be done.

A repo administrator will add users with certificates in a new section
[certificates] in the svnserve password file :

[certificates]
username1 = <PEM encoded certificate>
username2 = <PEM encoded certificate>
....

I've added a new auth mech "SSL-CERT" that the server send when it wants the
client to authenticate with a certificate. The authentication will only
succeed if the client gives a valid username and certificate during the
handshake. The authentication is done by checking that the client supplied
certificate is signed by the corresponding certificate in password file.

For the client certificate management there are two credentials that will be
useful : SVN_AUTH_CRED_SSL_CLIENT_CERT and
SVN_AUTH_CRED_SSL_CLIENT_CERT_PW. However, none of them supports caching.
Since my client certificate authentication is a pair (username, certificate),
it would be useful to have a "const char *username" member in
svn_auth_cred_ssl_client_cert_t as well.

I could change the providers, but I don't want to risk breaking existing usage
of those providers. Making a new credential seems wrong. Any ideas?

/Sigfred

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Oct 31 21:22:58 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.