[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Bug in ra_serf with client certificates

From: Thomas ┼kesson <thomas_at_akesson.cc>
Date: Fri, 21 Feb 2014 14:35:02 +0100

On 2014-02-21, at 12:58, Bert Huijben wrote:

>
>
>> -----Original Message-----
>> From: Thomas ├ůkesson [mailto:thomas_at_akesson.cc]
>> Sent: vrijdag 21 februari 2014 11:32
>> To: Subversion Development
>> Cc: Branko ─îibej; Lieven Govaerts
>> Subject: Re: Bug in ra_serf with client certificates
>>
>>
>> On 28 jan 2014, at 14:37, Lieven Govaerts <lgo_at_apache.org> wrote:
>>
>>> On Tue, Jan 28, 2014 at 1:53 PM, Branko ─îibej <brane_at_wandisco.com>
>> wrote:
>>>
>>>> [Tue Jan 28 13:32:47 2014] [info] SSL Library Error: 336105671
>>>> error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not
>> return
>>>> a certificate No CAs known to server for verification?
>>>>
>>>>
>>>> The bug, as I see it, is that in this case, the command-line client doesn't
>>>> ask for different credentials. Shouldn't we be transforming (or wrapping)
>>>> SERF_ERROR_AUTHN_FAILED to SVN_ERR_RA_NOT_AUTHORIZED?
>>>
>>> The command line client doesn't ask for a client certificate, it
>>> should be defined correctly in the servers file using:
>>> ssl-client-cert-file
>>> ssl-client-cert-password
>>
>> Sorry, I am late to this party. Just got confused by this statement that
>> command line client does not ask.
>>
>> svn info https://secure.example.com
>> Autentiseringsregion (realm): https://secure.example.com:443
>> Filnamn f├Âr klientcertifikat:
>>
>> This happened to become Swedish but the last line asks for a filename of
>> client cert. This was 1.7.7 that I had on an old test machine.
>>
>> Attempting this on 1.8 gives an SSL error as this thread has already stated.
>
> There was a behavior change in 1.8, where the default was changed to *not ask* until it is enabled in the config.
>
> See http://subversion.apache.org/docs/release-notes/1.8.html#client-cert-prompt-suppression
>
> I think the reasoning was that there are servers that allow a client certificate, but don't require one. In case you would have to use such a server but don't have a certificate you would get the question over and over again.

Ok, that clarifies Lieven's statement. It applies "since 1.8".

I don't care whether the client prompts for filename or not, but I find it important to provide a good error message (preferably with recommended action) and APIs that help Tortoise et al.

Also like, Markus' idea about recording (no-)need for certificate in auth cache.

Cheers,
Thomas ├ů.
Received on 2014-02-21 14:35:41 CET

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.