[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Support for CryptoAPI

From: marcus <marcus.kovacs_at_gmail.com>
Date: Tue, 30 Sep 2008 03:36:19 -0700 (PDT)

Hi.

I posted this to the users group bu perhaps this is a better place for
this discussion:

I work for a company called Logica and we sponsored the development
work of adding CryptoAPI-support to OpenSSL. This is a cool feature
since this enables applications like for example TortoiseSVN to make
use of hard/soft certificates (smartcards etc) to authenticate on a
Subversion server.

However, this is not enabled by default in the OpenSSL library. To
enable it you specify 'enable-capieng' at compile time. From what I
understand TortoiseSVN comes statically linked with OpenSSL. It would
be a really nice feature if you would consider enabling the CryptoAPI
engine for your upcomming release of TortoiseSVN.

You won't need to do any other changes to your application. If
TortoiseSVN tries to access a SVN repository (https) requiring a
specific certificate you will be prompted by a dialog asking you what
certificate to use from the Microsoft Certificate Store. This is all
taken care of by the underlaying OpenSSL library.

You can have OpenSSL to automatically pick the server requested
certificate from the store and only prompt you if you have several
certificates matching the server request. To do this you just add

-DOPENSSL_SSL_CLIENT_ENGINE_AUTO=capi

at compile time.

Please consider this carefully since this is a killer feature among
versioncontrol system. I can't think of another versioning system
offering 2-phase-logins using hard certificates. It won't affect the
current functionality and you don't have to add any application
specific preferences.

This feature is bundled in the latest release of OpenSSL (stable)
0.9.8i. Below is a snippet from OpenSSL change log:

<snip>
  *) Expand ENGINE to support engine supplied SSL client certificate
functions.
     This work was sponsored by Logica.
     [Steve Henson]

  *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in
Windows
     keystores. Support for SSL/TLS client authentication too.
     Not compiled unless enable-capieng specified to Configure.
     This work was sponsored by Logica.
     [Steve Henson]
</snip>

Regards,
/Marcus Kovacs

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_tortoisesvn.tigris.org
For additional commands, e-mail: dev-help_at_tortoisesvn.tigris.org
Received on 2008-09-30 12:37:14 CEST

This is an archived mail posted to the TortoiseSVN Dev mailing list.