Hi Karl,
Karl Fogel wrote:
> @@ -1232,6 +1244,10 @@
> with the normal one here. */
> else
> #endif
> + /* ### RFC: Should the 'use_client_certs' condition also cover the
> + ### PKCS#11 case above? What about the "PKCS#12" referred to
> + ### in libsvn_subr/config_file.c:svn_config_ensure()? */
> + if (use_client_certs)
> {
I tested with a PKCS#12 client certificate, it works perfectly.
Following is a summary of what I did to test this patch:
My apache config parameters
<apache-config>
<Location /svn/repos>
DAV svn
SVNPath /tmp/repos
AuthType Basic
AuthName "TEST SVN repository"
AuthUserFile /etc/svn-auth-file
Require valid-user
<IfDefine SSL>
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "CollabNet Inc" and
%{SSL_CLIENT_S_DN_OU} in {"Administration"}
</IfDefine>
</Location>
SSLCertificateFile /usr/local/ssl/CollabCA/server/certs/serverWEB.crt
SSLCertificateKeyFile /usr/local/ssl/CollabCA/server/keys/serverWEB.key
SSLCACertificateFile /usr/local/ssl/CollabCA/CollabCA.crt
SSLVerifyClient optional
SSLVerifyDepth 2
</apache-config>
First run with default servers file:
<snip>
$ svn co https://localhost/svn/repos wc
Authentication realm: https://localhost:443
Client certificate filename: /usr/local/ssl/CollabCA/user/certs/stylesen.p12
Passphrase for '/usr/local/ssl/CollabCA/user/certs/stylesen.p12':
Authentication realm: <https://localhost:443> TEST SVN repository
Password for 'stylesen':
A wc/file1
A wc/file2
Checked out revision 2.
</snip>
Second run with "ssl-use-client-certs = no" servers file:
<snip>
$ svn co https://localhost/svn/repos wc
Authentication realm: <https://localhost:443> TEST SVN repository
Password for 'stylesen':
A wc/file1
A wc/file2
Checked out revision 2.
</snip>
NOTE: This patch is valid only if you have "SSLVerifyClient optional" in your
apache config. If you have something lie "SSLVerifyClient require" it will
result in following error:
<snip>
../subversion/libsvn_ra_neon/util.c:603: (apr_err=175002)
svn: OPTIONS of 'https://localhost/svn/repos': SSL negotiation failed: SSL
error: sslv3 alert handshake failure (https://localhost)
</snip>
Thank You.
--
Senthil Kumaran S
http://www.stylesen.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-06-27 12:31:19 CEST