[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: client certificate request cancel: only once

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: Mon, 28 Jul 2008 08:09:21 +0200

cri10000 wrote:

> Stefan: that's a seriously flawed assumption...
>
> I'm having the same problem. Here's the setup:
> 1x Apache server
> 2x vhosts
> 7x repos (4 on vhost1, 3 on vhost2)
>
> It seems to be well documented that, in order for client certificates
> to play nice with TortoiseSVN, Apache must use an 'SSLVerifyClient
> optional' directive in the main server section (ie, outside of any
> vhosts sections).

Where is that documented?

> This works, but here's the catch: by design, all repos on vhost1
> should be accessed WITHOUT a client certificate. All repos on vhost2
> require it... Better yet, the wish list is: SOME repos on vhost1 as
> well as vhost2 require a certificate, the others are in the clear.
> Through a browser, I can get this to work fine. But through
> TortoiseSVN, it doesn't because of the user is constantly bugged by
> this dialog asking for a certificate. (well... in reality it works by
> pressing 'cancel' every time the dialog comes up, but no one in their
> right mind would consider this a 'usable' or friendly system)

if all repos on vhost1 don't require a client certificate, then don't
make apache ask for one!

> The flaw in you reasoning is: don't pass the file, don't get access...
> wrong! It must go: don't pass the file, don't get access >>>to those
> ressources that require it!<<< Doesn't mean the others are off limit
> by implication. TortoiseSVN seems to think so...
>
> Here's the problem: from a server point of view (let's take Apache):
> 'SSLVerifyClient require' means 'give me a file!', whereas
> 'SSLVerifyClient optional' means 'got a file?'

And 'SSLVerifyClient no' means 'I don't need a file'.

> Now, from Tortoise's point of view, when told, 'gimme a file', it
> shows the dialog asking the user for one, which is the correct
> behaviour. But when asked 'got a file?', it keeps on thinking it's
> mandatory again, and scrambles back to the user for one. That's a
> significant problem. It should just say 'no'...

There's no way for a client to know why the server asks for a file. If
the server asks for it, the client has to ask the user for it. It's as
simple as that. If the server later decides that it doesn't really need
the file, the client doesn't know that.

> To quote the first post in this thread: 'it would be nice if
> tortoisesvn could remember that it has no certificate.' I think it
> really should remember.

If you really want such a feature, you'd have to ask on the Subversion
mailing list for it: authentication is done by the Subversion library,
not TSVN.

Stefan

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.net

Received on 2008-07-28 08:09:38 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.