[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Review requested on issue #2410 (SSL client certs option)

From: Mark Phippard <markphip_at_gmail.com>
Date: Sun, 29 Jun 2008 21:05:38 -0400

On Sun, Jun 29, 2008 at 8:48 PM, Karl Fogel <kfogel_at_red-bean.com> wrote:
> "Mark Phippard" <markphip_at_gmail.com> writes:
>> So in the end, in terms of implementation, what is Joe suggesting? It
>> sounds like he'd expect anyone using client certs to configure them in
>> the servers file? And we should just not prompt for a certificate and
>> instead error out if one is required but not configured?
>
> I think Joe is proposing a new boolean client-side config option in the
> 'servers' file:
>
> # Prompt for path to client cert file when server requires a client
> # cert but none could be found in the default location(s). Off by
> # default.
> # ssl-client-cert-prompt = no
>
> I presume we'd list it in the [global] section, and it would also be
> valid in a server-specific section, where it would behave in the usual
> way (i.e., override the global).

So then how does the client find a cert in the default location? I
thought what Joe was saying is that anyone that needs to use a client
cert knows they have to configure it in some way.

>> I am not sure if that is better or worse. What I do think is
>> important is that Senthil's patch to allow the passphrase for the
>> client certificate to be cached like we cache passwords. We have a
>> customer that is eager to get this feature.
>
> Which patch is that? (It's not in issue #2410, AFAICT.)
>
> I think it's not necessarily related to what Joe is talking about,
> because finding a client cert and caching the password for it (if any)
> are two different things. But there could be some interaction I'm not
> understanding here.

It is a separate issue in our issue tracker. Patches have been on
list. I only mention it because if we were going to rethink how we
handle client certs, this is an important aspect of them where we need
improvements. 

-- 
Thanks
Mark Phippard
http://markphip.blogspot.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-06-30 03:06:07 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.