[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Windows Certificate Store / OpenSSL CAPI

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: Sat, 15 Oct 2011 10:01:58 +0200

On 15.10.2011 01:03, Gero Kuehn wrote:
> Hello Stefan !
>> For reasons I do not intend to discuss here, I do not want to
>> change this in TSVN.
>
> There is no reason to be offended. I only wanted to avoid the usual
> flamewars.
>
> My list of reasons includes: - the windows certificate store does not
> backup very well (=at all) using our current system

not really a reason: you can back up the p12 file before you import it.

> - Internet explorer should not have access to the same certificates
> as my SVN client

Don't see a reason why, but ok.

> - it is a standard target for trojans/virus software (stealing keys)

sure, but so are the well known locations for popular tools like svn
clients.

> - I do not trust the Windows Cryptography APIs at all (you asked for
> it)

any data to back up this paranoia?

> - I need to change certificates frequently (to ones with less
> privileges) to test per-directory access controls before releasing
> these new certificates to the intended recipient(s)
>
> Especially the last one is the real issue for me because automatic
> certificate selections and the GUIs require significantly more time
> to change/reconfigure than the previous file solution.

if there are more than one cert in the store that could match, TSVN will
show a dialog from which you can choose the cert. So you could just add
your test certs to the store as well.

>> edit the servers file in %APPDATA%\Subversion and configure your
>> p12
> file there.
>
> Thanks for the hint.... seriously.
>
> But due to your friendly response, let me make one thing clear for
> you: I appreciate what you do, but before posting here, I have spent
> quite some time searching for any kind of information about this
> issue. Finding out that this is an openssl "feature" and not
> something caused by TSVN directly was by far the hardest part. The
> documentation I saw did NOT point me into that direction.

that openssl feature only works if there's only one single cert in the
store that matches the request. If there are more, it would still just
use either the first one that matches (even if you can't login with it)
or show a selection dialog for every single connection.

TSVN fixed this by patching OpenSSL and providing its own selection
dialog where you can store which cert you chose so it doesn't ask again
for every connection.

Stefan

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2855844
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-10-15 10:02:15 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.