> -----Original Message-----
> From: Thomas Ã…kesson [mailto:thomas_at_akesson.cc]
> Sent: vrijdag 21 februari 2014 11:32
> To: Subversion Development
> Cc: Branko ÄŒibej; Lieven Govaerts
> Subject: Re: Bug in ra_serf with client certificates
>
>
> On 28 jan 2014, at 14:37, Lieven Govaerts <lgo_at_apache.org> wrote:
>
> > On Tue, Jan 28, 2014 at 1:53 PM, Branko ÄŒibej <brane_at_wandisco.com>
> wrote:
> >
> >> [Tue Jan 28 13:32:47 2014] [info] SSL Library Error: 336105671
> >> error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
> return
> >> a certificate No CAs known to server for verification?
> >>
> >>
> >> The bug, as I see it, is that in this case, the command-line client doesn't
> >> ask for different credentials. Shouldn't we be transforming (or wrapping)
> >> SERF_ERROR_AUTHN_FAILED to SVN_ERR_RA_NOT_AUTHORIZED?
> >
> > The command line client doesn't ask for a client certificate, it
> > should be defined correctly in the servers file using:
> > ssl-client-cert-file
> > ssl-client-cert-password
>
> Sorry, I am late to this party. Just got confused by this statement that
> command line client does not ask.
>
> svn info https://secure.example.com
> Autentiseringsregion (realm): https://secure.example.com:443
> Filnamn för klientcertifikat:
>
> This happened to become Swedish but the last line asks for a filename of
> client cert. This was 1.7.7 that I had on an old test machine.
>
> Attempting this on 1.8 gives an SSL error as this thread has already stated.
There was a behavior change in 1.8, where the default was changed to *not ask* until it is enabled in the config.
See http://subversion.apache.org/docs/release-notes/1.8.html#client-cert-prompt-suppression
I think the reasoning was that there are servers that allow a client certificate, but don't require one. In case you would have to use such a server but don't have a certificate you would get the question over and over again.
Bert
>
>
> Thanks,
> Thomas Ã….
Received on 2014-02-21 12:59:15 CET