[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

AW: Bug in ra_serf with client certificates

From: Markus Schaber <m.schaber_at_codesys.com>
Date: Fri, 21 Feb 2014 12:41:18 +0000

Hi,

Von: Bert Huijben [mailto:bert_at_qqmail.nl]
> From: Thomas Ã…kesson [mailto:thomas_at_akesson.cc]
> > >> [Tue Jan 28 13:32:47 2014] [info] SSL Library Error: 336105671
> > >> error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
> > >> not return
> > >> a certificate No CAs known to server for verification?
> > >>
> > >>
> > >> The bug, as I see it, is that in this case, the command-line client
> > >> doesn't ask for different credentials. Shouldn't we be transforming
> > >> (or wrapping) SERF_ERROR_AUTHN_FAILED to SVN_ERR_RA_NOT_AUTHORIZED?
> > >
> > > The command line client doesn't ask for a client certificate, it
> > > should be defined correctly in the servers file using:
> > > ssl-client-cert-file
> > > ssl-client-cert-password
> >
> > Sorry, I am late to this party. Just got confused by this statement
> > that command line client does not ask.
> >
> > svn info https://secure.example.com
> > Autentiseringsregion (realm): https://secure.example.com:443 Filnamn
> > för klientcertifikat:
> >
> > This happened to become Swedish but the last line asks for a filename
> > of client cert. This was 1.7.7 that I had on an old test machine.
> >
> > Attempting this on 1.8 gives an SSL error as this thread has already stated.
>
> There was a behavior change in 1.8, where the default was changed to *not
> ask* until it is enabled in the config.
>
> See http://subversion.apache.org/docs/release-notes/1.8.html#client-cert-
> prompt-suppression
>
> I think the reasoning was that there are servers that allow a client
> certificate, but don't require one. In case you would have to use such a
> server but don't have a certificate you would get the question over and over
> again.

A better fix for this would be to save in the auth cache that the login without
certificate was successful, so the user won't be asked again until the next
failure.

Best regards

Markus Schaber

CODESYS® a trademark of 3S-Smart Software Solutions GmbH

Inspiring Automation Solutions

3S-Smart Software Solutions GmbH
Dipl.-Inf. Markus Schaber | Product Development Core Technology
Memminger Str. 151 | 87439 Kempten | Germany
Tel. +49-831-54031-979 | Fax +49-831-54031-50

E-Mail: m.schaber@codesys.com | Web: http://www.codesys.com | CODESYS store: http://store.codesys.com
CODESYS forum: http://forum.codesys.com

Managing Directors: Dipl.Inf. Dieter Hess, Dipl.Inf. Manfred Werner | Trade register: Kempten HRB 6186 | Tax ID No.: DE 167014915
Received on 2014-02-21 13:42:26 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.