[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Review requested on issue #2410 (SSL client certs option)

From: Karl Fogel <kfogel_at_red-bean.com>
Date: Sun, 29 Jun 2008 22:17:34 -0400

"Mark Phippard" <markphip_at_gmail.com> writes:
> AIUI, the only way to configure client certs is the servers file.
> This is not automatic at all. The book says the same:
>
> http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.authn.sslcerts

Oops, I mis-assumed, sorry. You're right, there isn't a default
location (no automagic ~/.subversion/client-certs/SERVER_NAME/cert.p12
or whatever). Instead, you put the cert.p12 somewhere safe, anywhere
you want, and edit your ~/.subversion/servers file to point to it.

I now grok this in fullness; thank you for pointing to that section of
the book :-).

So what Joe is suggesting is that when no ~/.subversion/servers option
is available to point to the cert file, we do not prompt for a location
by default; instead, throw an error describing how to set the path in
~/.subversion/servers. But, also offer a boolean config option to say
"Yes, I want to be prompted when the client cert file is not found."

Also, if we want to be really fancy ("fancy" meaning, uh, "useable"):

   * When we do prompt for a cert file, automagically update
     ~/.subversion/servers to point to the cert file location.

   * When we prompt the user for a client cert passphrase, do *not*
     automagically store that passphrase in ~/.subversion/servers
     (because it's bad to automagically store passphrases).

     Instead, present a prompt like the one we do for regular plaintext
     passwords, wherein we ask they user if they want to store it, and
     also tell them what to set to avoid being asked in the future (a
     new boolean that says whether or not to store client cert
     passphrases after they've been read from prompt).

Those last two ideas are nice-to-haves, not must-haves, of course.

-Karl

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-06-30 04:18:19 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.