Re: Accessing SVN repository via Apache and SSL client certificate? Almost there, but something is missing.

Phillip Susi wrote:

> Try moving the SSLVerifyClient directive to where you have the
> SSLEngine On and SSLCertificateXXX directives, which in my case
> is in the virtual host node.

Yes, this works for the SVN client, however...

> This of course has the side effect of requiring ALL clients that
> connect to the server to supply a valid certificate.

...this is a side effect the users won't accept, because the machine
serves non-SVN clients aswell. For example, the SquirrelMail users
have no client certificates available in their Web Browsers.

> I believe when you have the SSLVerifyClient require directive inside
> the <Location> node, apache does not ask for a client certificate
> during the initial handshake. Only when you ask for a URL within
> that <Location> does it ask for a client certificate, and svn
> doesn't seem to handle that.

Indeed. I don't know if this could be called a misbehaviour of SVN,
though. The Apache docs state that SSLVerifyClient is valid in the
contexts server config, virtual host, directory, and .htaccess; see
<http://httpd.apache.org/docs-2.0/en/mod/mod_ssl.html#sslverifyclient>.
I tried to use SSLVerifyClient in a <Location> section, which works
for Firefox and Internet Exploiter, but not for SVN... Should this
be reported as a SVN bug or not?

It seems like I'm stuck now. I need a configuration which allows
access to the server in the following manner:

  https://server.tld/subversion/ SVN, client certificates only
  https://server.tld/webmail/ Web Browsers, no certificates

Can this be done (and how)?

-- 
Mit freundlichen Grüßen / Sincerely
Dipl. Inform. Ralph Seichter
HORUS-IT
Ahornweg 10
D-57635 Oberirsen
Tel +49 2686 987880
Fax +49 2686 987889
http://horus-it.de/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org