[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Accessing SVN repository via Apache and SSL client certificate? Almost there, but something is missing.

From: Hermann Voßeler <hermann.vosseler_at_baaderbank.de>
Date: 2005-05-10 15:46:57 CEST

Hash: SHA1

| Ralph Seichter wrote:
|>> This of course has the side effect of requiring ALL clients that
|>> connect to the server to supply a valid certificate.
|> ...this is a side effect the users won't accept, because the
|> machine serves non-SVN clients aswell. For example, the
|> SquirrelMail users have no client certificates available in their
|> Web Browsers.
| Yes, that is a problem.
|> Indeed. I don't know if this could be called a misbehaviour of SVN,
|> though. The Apache docs state that SSLVerifyClient is valid in the
|> contexts server config, virtual host, directory, and .htaccess;
|> see
|> <http://httpd.apache.org/docs-2.0/en/mod/mod_ssl.html#sslverifyclient>.
|> I tried to use SSLVerifyClient in a <Location> section, which
|> works for Firefox and Internet Exploiter, but not for SVN... Should
|> this be reported as a SVN bug or not?
Phillip Susi wrote:
| It is a bug in SVN and should be reported. Specifically the SVN
| client chokes when the server requests a client certificate after the
| initial handshake. This might be a problem with the neon library SVN
| uses to connect to the server, or in the way SVN is using neon.


This is really a problem, bcause it makes all sorts of "mixed setups"
difficult, were you requiere client certs only on some part of the tree.

I often wonder if someone uses Subversion in conjunction with some
certificate based pub key infrastructure or the like?
How do other people or companies handle this? Manually adding every
user to a htaccess file and doing basic auth? Is there really no
other aproach possible?

A question closely related to this:

Last year, when I set up our Subversion repo, I failed to get
mod_authz_svn recognize the user name (passed as CN in the certificate)
and to grant access based on this user name.
The only thing that seems to work is to grant access to everyone with
* = rw

- --

Hermann Vosseler

- ---------------------------------------------------------------
Hermann Voßeler
Baader Wertpapierhandelsbank AG / IT
Weihenstephaner Straße 4
D-85716 Unterschleißheim
Internet: www.baaderbank.de
- ---------------------------------------------------------------
Version: GnuPG v1.2.6 (GNU/Linux)


To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue May 10 15:53:30 2005

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.