[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Review requested on issue #2410 (SSL client certs option)

From: Senthil Kumaran S <senthil_at_collab.net>
Date: Fri, 27 Jun 2008 16:00:05 +0530

Hi Karl,

Karl Fogel wrote:
> @@ -1232,6 +1244,10 @@
> with the normal one here. */
> else
> #endif
> + /* ### RFC: Should the 'use_client_certs' condition also cover the
> + ### PKCS#11 case above? What about the "PKCS#12" referred to
> + ### in libsvn_subr/config_file.c:svn_config_ensure()? */
> + if (use_client_certs)
> {

I tested with a PKCS#12 client certificate, it works perfectly.

Following is a summary of what I did to test this patch:

My apache config parameters

<apache-config>
       <Location /svn/repos>
           DAV svn
           SVNPath /tmp/repos
           AuthType Basic
           AuthName "TEST SVN repository"
           AuthUserFile /etc/svn-auth-file
           Require valid-user
         <IfDefine SSL>
             SSLRequireSSL
             SSLRequire %{SSL_CLIENT_S_DN_O} eq "CollabNet Inc" and
             %{SSL_CLIENT_S_DN_OU} in {"Administration"}
         </IfDefine>
       </Location>

         SSLCertificateFile /usr/local/ssl/CollabCA/server/certs/serverWEB.crt
         SSLCertificateKeyFile /usr/local/ssl/CollabCA/server/keys/serverWEB.key
         SSLCACertificateFile /usr/local/ssl/CollabCA/CollabCA.crt
         SSLVerifyClient optional
         SSLVerifyDepth 2
</apache-config>

First run with default servers file:

<snip>
$ svn co https://localhost/svn/repos wc
Authentication realm: https://localhost:443
Client certificate filename: /usr/local/ssl/CollabCA/user/certs/stylesen.p12
Passphrase for '/usr/local/ssl/CollabCA/user/certs/stylesen.p12':
Authentication realm: <https://localhost:443> TEST SVN repository
Password for 'stylesen':
A wc/file1
A wc/file2
Checked out revision 2.
</snip>

Second run with "ssl-use-client-certs = no" servers file:

<snip>
$ svn co https://localhost/svn/repos wc
Authentication realm: <https://localhost:443> TEST SVN repository
Password for 'stylesen':
A wc/file1
A wc/file2
Checked out revision 2.
</snip>

NOTE: This patch is valid only if you have "SSLVerifyClient optional" in your
apache config. If you have something lie "SSLVerifyClient require" it will
result in following error:

<snip>
../subversion/libsvn_ra_neon/util.c:603: (apr_err=175002)
svn: OPTIONS of 'https://localhost/svn/repos': SSL negotiation failed: SSL
error: sslv3 alert handshake failure (https://localhost)
</snip>

Thank You. 

-- 
Senthil Kumaran S
http://www.stylesen.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-06-27 12:31:19 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.