[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: TortoiseSVN with DoD CAC (Smart Card) configuration help

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: Fri, 15 Feb 2013 22:40:27 +0100

On 13.02.2013 23:54, Delmar Dale wrote:
> Jared and Stefan,
>
> Sorry for taking so long to respond. We are going full steam at
> rolling out Tortoise at our enterprise once I got the CAC problem
> figured out. All was going well until we encountered a user with a
> "PIV" card. This card had 2 certificates issued by the same CA. So
> for this user, Tortoise is prompting for the certificate. And of
> course we're back to the original issue of, although you select a
> certifidate, Tortoise doesn't use it.
>
> What I had to do was tell the user to delete one of the certificates
> from the Windows Certificate Store with a command similar to this
> "certutil -delstore -user "My" 1ee28a" before they use Tortoise. The
> certificate gets automatically re-installed when they re-insert their
> CAC.
>
> There is a concern that these PIV cards are the future, and we need
> to get this issue resolved before everyone gets upgraded to this type
> of card.
>
> I advised our development team to test the latest nightly build in
> the testlab to see if the issue is still there, and if it is, then
> submit a formal bug report with Tortoise.

I think I know why this doesn't work:

the e_capi module in OpenSSL can use the certificates from the smartcard
directly. However as you've noticed, this only works if there's only one
certificate in the store that matches the request. If there are more,
the e_capi module has an option to show the cert selection dialog itself
and it would work, but that's unusable: you would get that dialog
multiple times for every TSVN command (and with multiple times I mean a
*lot*).
So that option is disabled.

When TSVN shows the cert selection dialog, it has to extract that
certificate from the store (export it) and pass that information back to
the svn library as a file. And here's why it fails: certificates from
smartcards are not exportable!

I have an idea which might work. Problem is with that approach: for
every connection, there's first a connect attempt that will fail because
I would pass an empty/invalid certificate to be used. Only on the retry
the real certificate would be used and then it would work. While the
user wouldn't notice that, I assume that your server log will get an
error entry every time.

I hope to get a test version ready this weekend.

Stefan

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest interface to (Sub)version control
    /_/   \_\     http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3048911
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2013-02-15 22:40:38 CET

This is an archived mail posted to the TortoiseSVN Users mailing list.