[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: client certificate request cancel: only once

From: cri10000 <cri.hebert_at_yahoo.ca>
Date: Sat, 26 Jul 2008 10:17:14 -0700 (PDT)

On Jul 1, 12:07 pm, Stefan Küng <tortoise..._at_gmail.com> wrote:
> Thurner Rupert (KSFJ 551) wrote:
>
> > hi,
>
> > while using a ssl secured server which is requesting a x509 client
> > certificate for authentication tortoisesvn keeps asking for a cert
> > file all the time. it would be nice if tortoisesvn could remember
> > that it has no certificate.
>
> If you don't pass the file, you won't have access to the repository. So
> why would you want to save such a state?
>
> Stefan
>
> --
>         ___
>    oo  // \\      "De Chelonian Mobile"
>   (_,\/ \_/ \     TortoiseSVN
>     \ \_/_\_/>    The coolest Interface to (Sub)Version Control
>     /_/   \_\    http://tortoisesvn.net
>
>  signature.asc
> 1KDownload

Stefan: that's a seriously flawed assumption...

I'm having the same problem. Here's the setup:
1x Apache server
2x vhosts
7x repos (4 on vhost1, 3 on vhost2)

It seems to be well documented that, in order for client certificates
to play nice with TortoiseSVN, Apache must use an 'SSLVerifyClient
optional' directive in the main server section (ie, outside of any
vhosts sections).

This works, but here's the catch: by design, all repos on vhost1
should be accessed WITHOUT a client certificate. All repos on vhost2
require it... Better yet, the wish list is: SOME repos on vhost1 as
well as vhost2 require a certificate, the others are in the clear.
Through a browser, I can get this to work fine. But through
TortoiseSVN, it doesn't because of the user is constantly bugged by
this dialog asking for a certificate. (well... in reality it works by
pressing 'cancel' every time the dialog comes up, but no one in their
right mind would consider this a 'usable' or friendly system)

The flaw in you reasoning is: don't pass the file, don't get access...
wrong! It must go: don't pass the file, don't get access >>>to those
ressources that require it!<<< Doesn't mean the others are off limit
by implication. TortoiseSVN seems to think so...

Here's the problem: from a server point of view (let's take Apache):
'SSLVerifyClient require' means 'give me a file!', whereas
'SSLVerifyClient optional' means 'got a file?'

Now, from Tortoise's point of view, when told, 'gimme a file', it
shows the dialog asking the user for one, which is the correct
behaviour. But when asked 'got a file?', it keeps on thinking it's
mandatory again, and scrambles back to the user for one. That's a
significant problem. It should just say 'no'...

To quote the first post in this thread: 'it would be nice if
tortoisesvn could remember that it has no certificate.' I think it
really should remember.

Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_tortoisesvn.tigris.org
For additional commands, e-mail: users-help_at_tortoisesvn.tigris.org
Received on 2008-07-26 19:31:07 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.