[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[RESEND][PATCH] ssl client certificate usage

From: David Reid <david_at_jetnet.co.uk>
Date: 2005-09-12 12:31:20 CEST

[
Resend of patch - no changes.

My initial submission was to garner feedback if this would be an
acceptable patch, but if you want a commit style message, you got one.
]

Add a configuration setting to allow the user to tell subversion that
they don't have any ssl client certificates. This can be done globally
or in a [server] block.
This stops subversion asking repeatedly for a certificate if the server
implies that client certificates are an acceptable form of authentication.
Default is 'yes', so applying this patch does not change the behaviour
of subversion unless the user chooses.

--- subversion-1.2.1/subversion/include/svn_config.h Wed Apr 6
14:21:33 2005
+++ subversion-1.2.1/subversion/include/svn_config_dr.h Sun Sep 11
13:57:26 2005
@@ -69,6 +69,7 @@
 #define SVN_CONFIG_OPTION_SSL_TRUST_DEFAULT_CA "ssl-trust-default-ca"
 #define SVN_CONFIG_OPTION_SSL_CLIENT_CERT_FILE "ssl-client-cert-file"
 #define SVN_CONFIG_OPTION_SSL_CLIENT_CERT_PASSWORD
"ssl-client-cert-password"
+#define SVN_CONFIG_OPTION_SSL_CLIENT_CERTS "ssl-client-certs"

 #define SVN_CONFIG_CATEGORY_CONFIG "config"
 #define SVN_CONFIG_SECTION_AUTH "auth"
--- subversion-1.2.1/subversion/libsvn_ra_dav/session.c Fri Jul 1
17:02:13 2005
+++ subversion-1.2.1/subversion/libsvn_ra_dav/session_dr.c Sun Sep
11 13:57:04 2005
@@ -362,6 +362,7 @@
                                         int *timeout_seconds,
                                         int *neon_debug,
                                         svn_boolean_t *compression,
+ svn_boolean_t *client_certs,
                                         svn_config_t *cfg,
                                         const char *requested_host,
                                         apr_pool_t *pool)
@@ -401,6 +402,8 @@
                      SVN_CONFIG_OPTION_HTTP_TIMEOUT, NULL);
       SVN_ERR(svn_config_get_bool(cfg, compression,
SVN_CONFIG_SECTION_GLOBAL,
                                   SVN_CONFIG_OPTION_HTTP_COMPRESSION,
TRUE));
+ SVN_ERR(svn_config_get_bool(cfg, client_certs,
SVN_CONFIG_SECTION_GLOBAL,
+ SVN_CONFIG_OPTION_SSL_CLIENT_CERTS,
TRUE));
       svn_config_get(cfg, &debug_str, SVN_CONFIG_SECTION_GLOBAL,
                      SVN_CONFIG_OPTION_NEON_DEBUG_MASK, NULL);
     }
@@ -426,6 +429,9 @@
       SVN_ERR(svn_config_get_bool(cfg, compression, server_group,
                                   SVN_CONFIG_OPTION_HTTP_COMPRESSION,
                                   *compression));
+ SVN_ERR(svn_config_get_bool(cfg, client_certs, server_group,
+ SVN_CONFIG_OPTION_SSL_CLIENT_CERTS,
+ *client_certs));
       svn_config_get(cfg, &debug_str, server_group,
                      SVN_CONFIG_OPTION_NEON_DEBUG_MASK, debug_str);
     }
@@ -575,7 +581,7 @@
   ne_uri uri = { 0 };
   svn_ra_dav__session_t *ras;
   int is_ssl_session;
- svn_boolean_t compression;
+ svn_boolean_t compression, client_certs;
   svn_config_t *cfg;
   const char *server_group;

@@ -644,6 +650,7 @@
                               &timeout,
                               &debug,
                               &compression,
+ &client_certs,
                               cfg,
                               uri.host,
                               pool);
@@ -766,10 +773,13 @@
       ne_ssl_set_verify(sess, server_ssl_callback, ras);
       ne_ssl_set_verify(sess2, server_ssl_callback, ras);
       /* For client connections, we register a callback for if the server
- wants to authenticate the client via client certificate. */
-
- ne_ssl_provide_clicert(sess, client_ssl_callback, ras);
- ne_ssl_provide_clicert(sess2, client_ssl_callback, ras);
+ wants to authenticate the client via client certificate and we're
+ using client certificates. */
+ if (client_certs)
+ {
+ ne_ssl_provide_clicert(sess, client_ssl_callback, ras);
+ ne_ssl_provide_clicert(sess2, client_ssl_callback, ras);
+ }

       /* See if the user wants us to trust "default" openssl CAs. */
       trust_default_ca = svn_config_get_server_setting(

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Sep 12 12:32:20 2005

This is an archived mail posted to the Subversion Dev mailing list.