[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Should missing smart card support not be added in the release notes?

From: Lieven Govaerts <lgo_at_apache.org>
Date: Tue, 4 Jun 2013 13:38:42 +0200

On Tue, Jun 4, 2013 at 1:25 PM, Ivan Zhakov <ivan_at_visualsvn.com> wrote:
> On Tue, Jun 4, 2013 at 3:19 PM, Lieven Govaerts <lgo_at_apache.org> wrote:
>> On Tue, Jun 4, 2013 at 12:55 PM, Ivan Zhakov <ivan_at_visualsvn.com> wrote:
>>> On Tue, Jun 4, 2013 at 2:51 PM, Lieven Govaerts <lgo_at_apache.org> wrote:
>>>> Hi,
>>>>
>>>>
>>>> see subject. Serf and ra_serf don't have smart card support at this
>>>> moment, unlike neon.
>>>>
>>>> I'd expected this to be mentioned in the release notes for 1.8.0 as
>>>> this is not new information (at least I hope so), but I can't find
>>>> anything about it.
>>>>
>>> Serf doesn't support smart cards for SSL based authentication, but
>>> SPNego (Kerberos/NTLM) smart authentication works fine.
>>
>> Ah, didn't know that. So you use your smart card to log in to Windows
>> and/or to the domain, which then enables single sign-on to a
>> Kerberos-enabled svn server right?
>>
> I didn't try Kerberos-enabled server. I tested using Active Directory
> domain controller. Windows SSPI automatically uses credentials from
> smart card used to logon to Windows.
>
>> In such a scenario, would you make the SSL layer additionally request
>> a valid client certificate?
>>
> This performed using different API. I believe that can be handled
> automatically by openssl when CAPI engine is enabled.

My question was more from an admin POV. If you have already an AD
integrated server with clients using smart cards to log on to the
domain, does it provide any additional security to activate client
certificates on the SSL layer?
If the answer is no, then at least the Windows-only shops can safely
use smart cards with svn 1.8.0, even if they use https.

Lieven
Received on 2013-06-04 13:39:37 CEST

This is an archived mail posted to the Subversion Dev mailing list.