[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Support for CryptoAPI

From: Marcus Kovács <marcus.kovacs_at_gmail.com>
Date: Thu, 2 Oct 2008 03:35:11 -0700 (PDT)

Wow, that was fast. Unfortunately my tests didn't pass through using
TortoiseSVN nightly build. I checked the OpenSSL.build file and it
looks fine but there is not a trace of the "enable-capieng" in the
buildlog. Perhaps this is not an issue.

The testcase failed by fronting me with a File selection dialog to
choose certificate instead of having OpenSSL pick one from the
certificate store or listing available certificates in the store.
Seems like the certificate request is not handled by the OpenSSL
library but interferred by this dialog at some point. Do you have any
ideas why this could be ?

Regards,
/Marcus Kovacs

On Sep 30, 7:02 pm, Stefan Küng <tortoise..._at_gmail.com> wrote:
> marcus wrote:
> > Hi.
>
> > I posted this to the users group bu perhaps this is a better place for
> > this discussion:
>
> > I work for a company called Logica and we sponsored the development
> > work of adding CryptoAPI-support to OpenSSL. This is a cool feature
> > since this enables applications like for example TortoiseSVN to make
> > use of hard/soft certificates (smartcards etc) to authenticate on a
> > Subversion server.
>
> > However, this is not enabled by default in the OpenSSL library. To
> > enable it you specify 'enable-capieng' at compile time. From what I
> > understand TortoiseSVN comes statically linked with OpenSSL. It would
> > be a really nice feature if you would consider enabling the CryptoAPI
> > engine for your upcomming release of TortoiseSVN.
>
> > You won't need to do any other changes to your application. If
> > TortoiseSVN tries to access a SVN repository (https) requiring a
> > specific certificate you will be prompted by a dialog asking you what
> > certificate to use from the Microsoft Certificate Store. This is all
> > taken care of by the underlaying OpenSSL library.
>
> > You can have OpenSSL to automatically pick the server requested
> > certificate from the store and only prompt you if you have several
> > certificates matching the server request. To do this you just add
>
> > -DOPENSSL_SSL_CLIENT_ENGINE_AUTO=capi
>
> > at compile time.
>
> > Please consider this carefully since this is a killer feature among
> > versioncontrol system. I can't think of another versioning system
> > offering 2-phase-logins using hard certificates. It won't affect the
> > current functionality and you don't have to add any application
> > specific preferences.
>
> > This feature is bundled in the latest release of OpenSSL (stable)
> > 0.9.8i. Below is a snippet from OpenSSL change log:
>
> > <snip>
> >   *) Expand ENGINE to support engine supplied SSL client certificate
> > functions.
> >      This work was sponsored by Logica.
> >      [Steve Henson]
>
> >   *) Add CryptoAPI ENGINE to support use of RSA and DSA keys held in
> > Windows
> >      keystores. Support for SSL/TLS client authentication too.
> >      Not compiled unless enable-capieng specified to Configure.
> >      This work was sponsored by Logica.
> >      [Steve Henson]
> > </snip>
>
> Changed the build in r14151.
>
> Stefan
>
> --
>        ___
>   oo  // \\      "De Chelonian Mobile"
>  (_,\/ \_/ \     TortoiseSVN
>    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
>    /_/   \_\    http://tortoisesvn.net
>
>  signature.asc
> < 1KViewDownload

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_tortoisesvn.tigris.org
For additional commands, e-mail: dev-help_at_tortoisesvn.tigris.org
Received on 2008-10-02 12:45:16 CEST

This is an archived mail posted to the TortoiseSVN Dev mailing list.