[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] ssl client certificate use

From: Phillip Susi <psusi_at_cfl.rr.com>
Date: 2005-09-12 16:51:32 CEST

Are you sure it acts like that? This would seem to conflict with my
last experience with this issue. The last time I set up the server to
optionally use a client cert at the server level, the client did not
prompt me for a certificate file. If I set apache to require a
certificate for access to a certain path, the client would crash when
attempting to access that path, as it doesn't properly handle a request
for a certificate outside the initial handshake. I think that bug is in
the bug tracker at the moment.

In any case, if the server did not require a certificate at connect
time, the svn client did not appear to send one.

David Reid wrote:
> The follow patch allows a user to selectively disable the use of ssl
> client certificates. This fixes a problem that arises when you have a
> mixed auth environment using certs and passwords. Presently whenever the
> server declares it's able to accept client certificates the user is
> asked to supply a filename. This patch allows a user who doesn't have a
> certificate for a server to disable that requesting.
>
> Whether this is the best way of tackling it I'm not sure.
>
> david
>
> --- subversion-1.2.1/subversion/include/svn_config.h Wed Apr 6
> 14:21:33 2005
> +++ subversion-1.2.1/subversion/include/svn_config_dr.h Sun Sep 11
> 13:57:26 2005
> @@ -69,6 +69,7 @@
> #define SVN_CONFIG_OPTION_SSL_TRUST_DEFAULT_CA "ssl-trust-default-ca"
> #define SVN_CONFIG_OPTION_SSL_CLIENT_CERT_FILE "ssl-client-cert-file"
> #define SVN_CONFIG_OPTION_SSL_CLIENT_CERT_PASSWORD
> "ssl-client-cert-password"
> +#define SVN_CONFIG_OPTION_SSL_CLIENT_CERTS "ssl-client-certs"
>
> #define SVN_CONFIG_CATEGORY_CONFIG "config"
> #define SVN_CONFIG_SECTION_AUTH "auth"
> --- subversion-1.2.1/subversion/libsvn_ra_dav/session.c Fri Jul 1
> 17:02:13 2005
> +++ subversion-1.2.1/subversion/libsvn_ra_dav/session_dr.c Sun Sep
> 11 13:57:04 2005
> @@ -362,6 +362,7 @@
> int *timeout_seconds,
> int *neon_debug,
> svn_boolean_t *compression,
> + svn_boolean_t *client_certs,
> svn_config_t *cfg,
> const char *requested_host,
> apr_pool_t *pool)
> @@ -401,6 +402,8 @@
> SVN_CONFIG_OPTION_HTTP_TIMEOUT, NULL);
> SVN_ERR(svn_config_get_bool(cfg, compression,
> SVN_CONFIG_SECTION_GLOBAL,
> SVN_CONFIG_OPTION_HTTP_COMPRESSION,
> TRUE));
> + SVN_ERR(svn_config_get_bool(cfg, client_certs,
> SVN_CONFIG_SECTION_GLOBAL,
> + SVN_CONFIG_OPTION_SSL_CLIENT_CERTS,
> TRUE));
> svn_config_get(cfg, &debug_str, SVN_CONFIG_SECTION_GLOBAL,
> SVN_CONFIG_OPTION_NEON_DEBUG_MASK, NULL);
> }
> @@ -426,6 +429,9 @@
> SVN_ERR(svn_config_get_bool(cfg, compression, server_group,
> SVN_CONFIG_OPTION_HTTP_COMPRESSION,
> *compression));
> + SVN_ERR(svn_config_get_bool(cfg, client_certs, server_group,
> + SVN_CONFIG_OPTION_SSL_CLIENT_CERTS,
> + *client_certs));
> svn_config_get(cfg, &debug_str, server_group,
> SVN_CONFIG_OPTION_NEON_DEBUG_MASK, debug_str);
> }
> @@ -575,7 +581,7 @@
> ne_uri uri = { 0 };
> svn_ra_dav__session_t *ras;
> int is_ssl_session;
> - svn_boolean_t compression;
> + svn_boolean_t compression, client_certs;
> svn_config_t *cfg;
> const char *server_group;
>
> @@ -644,6 +650,7 @@
> &timeout,
> &debug,
> &compression,
> + &client_certs,
> cfg,
> uri.host,
> pool);
> @@ -766,10 +773,13 @@
> ne_ssl_set_verify(sess, server_ssl_callback, ras);
> ne_ssl_set_verify(sess2, server_ssl_callback, ras);
> /* For client connections, we register a callback for if the server
> - wants to authenticate the client via client certificate. */
> -
> - ne_ssl_provide_clicert(sess, client_ssl_callback, ras);
> - ne_ssl_provide_clicert(sess2, client_ssl_callback, ras);
> + wants to authenticate the client via client certificate and we're
> + using client certificates. */
> + if (client_certs)
> + {
> + ne_ssl_provide_clicert(sess, client_ssl_callback, ras);
> + ne_ssl_provide_clicert(sess2, client_ssl_callback, ras);
> + }
>
> /* See if the user wants us to trust "default" openssl CAs. */
> trust_default_ca = svn_config_get_server_setting(
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Sep 12 16:54:28 2005

This is an archived mail posted to the Subversion Dev mailing list.