[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Review requested on issue #2410 (SSL client certs option)

From: <svnlgo_at_mobsol.be>
Date: Fri, 27 Jun 2008 14:27:34 +0200

Karl,

Quoting Karl Fogel <kfogel_at_red-bean.com>:

> Issue #2410 is about allowing the client to avoid SSL certificate
> prompts, by setting a config value that says "don't do client certs".
>
> The original patch was way out of date. I attached an updated patch to
> the issue (see below). It needs review and has at least one outstanding
> question (detailed in the log message below). If anyone has time to
> look at this, that'd be great.
>

I didn't review the ra_neon part. The ra_serf looks basically okay to me, expect
one remark.

> [[[
> #################################################################
> ### ###
> ### NOT READY TO BE COMMITTED YET. Search for the comment ###
> ### beginning "### RFC" in the diff for outstanding issues. ###
> ### ###
> #################################################################
>
> Add a configuration setting to allow the user to tell Subversion that
> they don't have any SSL client certificates. This option can be set
> globally or in a [server] block.
>
> This stops subversion from asking repeatedly for a certificate if the
> server implies that client certificates are an acceptable form of
> authentication. The default is 'yes', so applying this patch does not
> change the behaviour of Subversion unless the user chooses to.
>
> Patch by: David Reid <david_at_jetnet.co.uk>
> kfogel
> (Heavily reworked, as the issue #2410 patch was against Subversion 1.2.)
>
> * subversion/include/svn_config.h
> (SVN_CONFIG_OPTION_SSL_USE_CLIENT_CERTS): New config option.
>
> * subversion/libsvn_subr/config_file.c
> (svn_config_ensure): Document the new option.
>
> Handle the new option in ra_neon:
>
> * subversion/libsvn_ra_neon/session.c
> (get_server_settings): Take new parameter use_client_certs, use it
> to return a boolean value (by reference) from global or
> server-specific settings as applicable.
> (svn_ra_neon__open): Don't use client certs if config says not to.
> But, leave a comment asking some important questions about what
> kind of client certs fall into the protected category.
>
> Handle it in ra_serf:
>
> * subversion/libsvn_ra_serf/ra_serf.h
> (svn_ra_serf__conn_setup): New boolean field use_client_certs.

This should be (svn_ra_serf__session_t).

>
> * subversion/libsvn_ra_serf/serf.c
> (svn_ra_serf__open): Initialize serf_sess->use_client_certs.
> (load_config): Get the use_client_certs setting from config.
>
> * subversion/libsvn_ra_serf/util.c
> (svn_ra_serf__conn_setup, svn_ra_serf__setup_serf_req): Don't use
> client certs if config says not to.
> ]]]
>
> Index: subversion/include/svn_config.h
> ===================================================================
> --- subversion/include/svn_config.h (revision 31887)
> +++ subversion/include/svn_config.h (working copy)
> @@ -70,6 +70,7 @@
> #define SVN_CONFIG_OPTION_HTTP_AUTH_TYPES "http-auth-types"
> #define SVN_CONFIG_OPTION_SSL_AUTHORITY_FILES "ssl-authority-files"
> #define SVN_CONFIG_OPTION_SSL_TRUST_DEFAULT_CA "ssl-trust-default-ca"
> +#define SVN_CONFIG_OPTION_SSL_USE_CLIENT_CERTS "ssl-use-client-certs"
> #define SVN_CONFIG_OPTION_SSL_CLIENT_CERT_FILE "ssl-client-cert-file"
> #define SVN_CONFIG_OPTION_SSL_CLIENT_CERT_PASSWORD
> "ssl-client-cert-password"
> #define SVN_CONFIG_OPTION_SSL_PKCS11_PROVIDER "ssl-pkcs11-provider"
> Index: subversion/libsvn_subr/config_file.c
> ===================================================================
> --- subversion/libsvn_subr/config_file.c (revision 31887)
> +++ subversion/libsvn_subr/config_file.c (working copy)
> @@ -744,6 +744,8 @@
> "### ssl-authority-files List of files, each of a trusted
> CAs"
>
> NL
> "### ssl-trust-default-ca Trust the system 'default' CAs"
> NL
> + "### ssl-use-client-certs Whether or not to use client "
> NL
> + "### certificates (default: yes)."
> NL
> "### ssl-client-cert-file PKCS#12 format client certificate
> file"
>
> NL
> "### ssl-client-cert-password Client Key password, if needed."
> NL

[Skipping the ra_neon part]

> Index: subversion/libsvn_ra_serf/ra_serf.h
> ===================================================================
> --- subversion/libsvn_ra_serf/ra_serf.h (revision 31887)
> +++ subversion/libsvn_ra_serf/ra_serf.h (working copy)
> @@ -201,6 +201,9 @@
>
> /* Repository UUID */
> const char *uuid;
> +
> + /* Are we using client certs at all? */
> + svn_boolean_t use_client_certs;
> };
>
> /*
> Index: subversion/libsvn_ra_serf/serf.c
> ===================================================================
> --- subversion/libsvn_ra_serf/serf.c (revision 31887)
> +++ subversion/libsvn_ra_serf/serf.c (working copy)
> @@ -359,6 +359,10 @@
> SVN_CONFIG_SECTION_GLOBAL,
> SVN_CONFIG_OPTION_HTTP_COMPRESSION, TRUE));
>
> + SVN_ERR(svn_config_get_bool(config, &session->use_client_certs,
> + SVN_CONFIG_SECTION_GLOBAL,
> + SVN_CONFIG_OPTION_SSL_USE_CLIENT_CERTS,
> TRUE));
> +
> svn_auth_set_parameter(session->wc_callbacks->auth_baton,
> SVN_AUTH_PARAM_CONFIG, config);
>
> @@ -394,6 +398,10 @@
> server_group,
> SVN_CONFIG_OPTION_HTTP_COMPRESSION,
> session->using_compression));
> + SVN_ERR(svn_config_get_bool(config, &session->use_client_certs,
> + SVN_CONFIG_SECTION_GLOBAL,
> + SVN_CONFIG_OPTION_SSL_USE_CLIENT_CERTS,
> + session->use_client_certs));

SVN_CONFIG_SECTION_GLOBAL should be server_group.

[..]

Lieven

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-06-27 14:27:53 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.