On 27.10.2011 20:04, Joel Jirak wrote:
> On Wed, Oct 26, 2011 at 12:53 PM, Joel Jirak<joel_at_jirak.us> wrote:
>> On Tue, Oct 25, 2011 at 4:25 PM, Stefan Küng<tortoisesvn_at_gmail.com> wrote:
>>> On 25.10.2011 21:58, Joel Jirak wrote:
>>>> Hello,
>>>>
>>>> There's been a change of behavior that I see when upgrading from 1.6.x
>>>> to 1.7.1. It looks like Tortoise is now built with access to MS
>>>> CryptoAPI enabled in OpenSSL. (Not sure if this is the exact right
>>>> technical description, but perhaps you know what I mean.) This is
>>>> causing a a popup from my smart card software for almost any SVN
>>>> operation. For example, when browsing to a repository, I have to hit
>>>> cancel 4 times, until it falls back to using the cert file that I
>>>> configured in my servers file. It's the same behavior I described
>>>> here: http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=92849.
>>>> Unfortunately, my company requires me to use the smart card software,
>>>> so uninstalling it is not an option.
>>>>
>>>> Is there any way to work around this behavior so that TortoiseSVN uses
>>>> just what's configured in the servers file and doesn't cause popups
>>>> from accessing the MS certificate store? Perhaps a configuration
>>>> option that would disable it? I couldn't find anything in the help or
>>>> in the advanced options that seemed relevant.
>>>>
>>>> Thank you for considering the matter. I've been looking forward to
>>>> upgrading to 1.7.x and hope I'm not forced to stay with 1.6.x.
>>>
>>> You shouldn't get any dialogs if you've configured the certificate in
>>> the servers file.
>>> What kind of dialogs do pop up for you?
>>>
>>
>> It's a dialog reading "Please insert smart card". Unfortunately, I
>> forgot my smart card at home, so I can't tell you yet what happens if
>> I insert it. I'll try this tomorrow. (Almost no one here a work
>> brings there smart card into the office. It's only used for remote
>> access.)
>>
>
> Got my smart card. Here's what I see. The starting point is a) my
> servers file specifies the client cert and cert passphrase (no change
> here) and b) I delete the my auth cache.
> 1. I select "Repo-browser" and pick the repository.
> 2. I get a pop-up saying "Please insert a smart card" from the security product.
> 3. I dismiss the pop-up seven times and then see the repo-browser
> populated with correct data from the repository. Presumable, TSVN has
> fallen back to using the settings from the servers file.
> 4. Any further action, like show-log, requires the pop-up to be dismissed once.
>
> Now, if I delete my auth cache, start over and insert my smart card:
> alt1. I select "Repo-browser" and pick the repository.
> alt2. I get a pop-up saying "Please insert a smart card" from the
> security product.
> alt3. Insert smart card. The repo-browser appears, populated with
> correct data from the repository.
> alt4. Any further action, like show-log, occurs without any pop-up
> dialogs interrupting.
>
> At this point, the behavior seems to change.
> alt5. I dismiss the repo-browser, then open it back up again (without
> deleting the auth cache)
> alt6. I don't get a pop-up about the smart card, because it's already inserted.
> alt7. I get the "Select Certificate" window.
> alt8. If I cancel this twice, the repo-browser is populated with data
> OR if I pick the desired client cert, the same thing happens.
> alt9. In either case, subsequent svn operations don't cause a pop-up.
> alt10. And finally, if I take my smart card out, svn operations cause
> me to be prompted to "Please insert a smart card"
>
> My preference would be that if a certificate is specified in the
> servers file for a given server, svn interactions with that server
> would never result in any prompts, whether directly by TSVN or
> indirectly from programs tied into MS crypto layer. Any chance for a
> tweak or some setting that could implement this?
I would consider this a bug in your smartcard package. OpenSSL opens the
crypto store to see if there's a matching certificate for it to use
automatically. It does this without showing any UI. Your smartcard
software should respect that non-UI flag and only ask to insert the card
if the non-UI flag isn't passed to open the crypto store.
However I can see that it might be difficult to get your smartcard
software getting fixed. Which means I'll have to patch OpenSSL so you
can force it to never open the crypto store.
But this will take a while - patching OpenSSL isn't easy...
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2865432
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-10-27 20:09:48 CEST