[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Cache ssl client certificate passphrases

From: Joe Orton <jorton_at_redhat.com>
Date: Mon, 12 May 2008 10:41:48 +0100

On Mon, May 12, 2008 at 11:01:35AM +0200, Branko Čibej wrote:
> IMHO we should only use the new cert-passphrase provider if it uses a
> secure store. If that means we currently can't use it at all on Linux -- so
> be it. As for the servers file -- we can't remove that feature, but we can
> very loudly deprecate it.

I agree all round. I'd also say that the ideal solution for integration
with CryptoAPI and Keychain in this respect is to be using stored client
certs from there, not using it as a passphrase cache for certs in files.

From some brief research, it looks like Keychain only allows storing
keypairs as binary blobs (right?); it would be pretty simple to get
those usable with neon, though it would require an API extension.
Windows CryptoAPI support would be done similarly to how PKCS#11 is done
for Unix; you need to perform the private key signing operation via the
CryptoAPI interface - this is lots of work.


To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-05-12 11:42:15 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.