On Tue, Jun 4, 2013 at 1:25 PM, Ivan Zhakov <ivan_at_visualsvn.com> wrote:
> On Tue, Jun 4, 2013 at 3:19 PM, Lieven Govaerts <lgo_at_apache.org> wrote:
>> On Tue, Jun 4, 2013 at 12:55 PM, Ivan Zhakov <ivan_at_visualsvn.com> wrote:
>>> On Tue, Jun 4, 2013 at 2:51 PM, Lieven Govaerts <lgo_at_apache.org> wrote:
>>>> Hi,
>>>>
>>>>
>>>> see subject. Serf and ra_serf don't have smart card support at this
>>>> moment, unlike neon.
>>>>
>>>> I'd expected this to be mentioned in the release notes for 1.8.0 as
>>>> this is not new information (at least I hope so), but I can't find
>>>> anything about it.
>>>>
>>> Serf doesn't support smart cards for SSL based authentication, but
>>> SPNego (Kerberos/NTLM) smart authentication works fine.
>>
>> Ah, didn't know that. So you use your smart card to log in to Windows
>> and/or to the domain, which then enables single sign-on to a
>> Kerberos-enabled svn server right?
>>
> I didn't try Kerberos-enabled server. I tested using Active Directory
> domain controller. Windows SSPI automatically uses credentials from
> smart card used to logon to Windows.
>
>> In such a scenario, would you make the SSL layer additionally request
>> a valid client certificate?
>>
> This performed using different API. I believe that can be handled
> automatically by openssl when CAPI engine is enabled.
>
You are referring to a configuration where OpenSSL uses MS's CryptoAPI
to use the Windows certificate store. Never used it myself, but I see
that TSVN has implemented this, with an extra dialog to select a
client certificate if multiple were found.
I see no reason why that won't work with serf, we probably would have
heard about it if not.
So for Windows there's no problem, only for Mac & Linux we don't have
a smart card solution in 1.8.0 at this time.
Lieven
Received on 2013-06-04 13:56:57 CEST