The follow patch allows a user to selectively disable the use of ssl
client certificates. This fixes a problem that arises when you have a
mixed auth environment using certs and passwords. Presently whenever the
server declares it's able to accept client certificates the user is
asked to supply a filename. This patch allows a user who doesn't have a
certificate for a server to disable that requesting.
Whether this is the best way of tackling it I'm not sure.
david
--- subversion-1.2.1/subversion/include/svn_config.h Wed Apr 6
14:21:33 2005
+++ subversion-1.2.1/subversion/include/svn_config_dr.h Sun Sep 11
13:57:26 2005
@@ -69,6 +69,7 @@
#define SVN_CONFIG_OPTION_SSL_TRUST_DEFAULT_CA "ssl-trust-default-ca"
#define SVN_CONFIG_OPTION_SSL_CLIENT_CERT_FILE "ssl-client-cert-file"
#define SVN_CONFIG_OPTION_SSL_CLIENT_CERT_PASSWORD
"ssl-client-cert-password"
+#define SVN_CONFIG_OPTION_SSL_CLIENT_CERTS "ssl-client-certs"
#define SVN_CONFIG_CATEGORY_CONFIG "config"
#define SVN_CONFIG_SECTION_AUTH "auth"
--- subversion-1.2.1/subversion/libsvn_ra_dav/session.c Fri Jul 1
17:02:13 2005
+++ subversion-1.2.1/subversion/libsvn_ra_dav/session_dr.c Sun Sep
11 13:57:04 2005
@@ -362,6 +362,7 @@
int *timeout_seconds,
int *neon_debug,
svn_boolean_t *compression,
+ svn_boolean_t *client_certs,
svn_config_t *cfg,
const char *requested_host,
apr_pool_t *pool)
@@ -401,6 +402,8 @@
SVN_CONFIG_OPTION_HTTP_TIMEOUT, NULL);
SVN_ERR(svn_config_get_bool(cfg, compression,
SVN_CONFIG_SECTION_GLOBAL,
SVN_CONFIG_OPTION_HTTP_COMPRESSION,
TRUE));
+ SVN_ERR(svn_config_get_bool(cfg, client_certs,
SVN_CONFIG_SECTION_GLOBAL,
+ SVN_CONFIG_OPTION_SSL_CLIENT_CERTS,
TRUE));
svn_config_get(cfg, &debug_str, SVN_CONFIG_SECTION_GLOBAL,
SVN_CONFIG_OPTION_NEON_DEBUG_MASK, NULL);
}
@@ -426,6 +429,9 @@
SVN_ERR(svn_config_get_bool(cfg, compression, server_group,
SVN_CONFIG_OPTION_HTTP_COMPRESSION,
*compression));
+ SVN_ERR(svn_config_get_bool(cfg, client_certs, server_group,
+ SVN_CONFIG_OPTION_SSL_CLIENT_CERTS,
+ *client_certs));
svn_config_get(cfg, &debug_str, server_group,
SVN_CONFIG_OPTION_NEON_DEBUG_MASK, debug_str);
}
@@ -575,7 +581,7 @@
ne_uri uri = { 0 };
svn_ra_dav__session_t *ras;
int is_ssl_session;
- svn_boolean_t compression;
+ svn_boolean_t compression, client_certs;
svn_config_t *cfg;
const char *server_group;
@@ -644,6 +650,7 @@
&timeout,
&debug,
&compression,
+ &client_certs,
cfg,
uri.host,
pool);
@@ -766,10 +773,13 @@
ne_ssl_set_verify(sess, server_ssl_callback, ras);
ne_ssl_set_verify(sess2, server_ssl_callback, ras);
/* For client connections, we register a callback for if the server
- wants to authenticate the client via client certificate. */
-
- ne_ssl_provide_clicert(sess, client_ssl_callback, ras);
- ne_ssl_provide_clicert(sess2, client_ssl_callback, ras);
+ wants to authenticate the client via client certificate and we're
+ using client certificates. */
+ if (client_certs)
+ {
+ ne_ssl_provide_clicert(sess, client_ssl_callback, ras);
+ ne_ssl_provide_clicert(sess2, client_ssl_callback, ras);
+ }
/* See if the user wants us to trust "default" openssl CAs. */
trust_default_ca = svn_config_get_server_setting(
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sun Sep 11 15:37:12 2005