[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Accessing SVN repository via Apache and SSL client certificate? Almost there, but something is missing.

From: Ralph Seichter <subversion-ml_at_sentries.org>
Date: 2005-05-17 13:14:05 CEST

Phillip Susi wrote:

> I find that it is better to use SSLUserName to have the mod_ssl
> directly fill out the logged in user name with the CN from the
> certificate, and not use AuthType Basic and AuthUserFile at all.

That is of course much better than SSLOptions +FakeBasicAuth. I only
wonder why <http://httpd.apache.org/docs-2.0/en/mod/directives.html>
fails to mention SSLUserName, as it is important information which
would have saved me quite some trouble trying to get the old (fake)
authentication working. I thought that SSLUserName is not available
for Apache 2.0.x, but as it turns out, it works with versions 2.0.51
and newer. "Do good and talk about it" comes to mind; don't hide the
good features. ;-)

> are you saying that when using SSLVerifyClient optional in the root
> of the vhost, then setting it to required for the location /svn, svn
> does not choke when asked for the client cert, but a normal web
> browser is able to access the root over SSL without a client
> certificate?

Yes, I tested this with Firefox 1.0.4 and IE 6. Here are the
relevant parts of the configuration files:

  <VirtualHost _default_:443>
      SSLVerifyDepth 1
      SSLVerifyClient optional
      <Location /svn>
          SSLVerifyClient require
          SSLOptions +StrictRequire
          SSLRequire %{SSL_CLIENT_I_DN_O} eq "DiscWorld Ltd."
          SSLUserName SSL_CLIENT_S_DN_CN
          DAV svn
          SVNParentPath /var/svn/reps
          AuthzSVNAccessFile /var/svn/access
      </Location>
  </VirtualHost>

  # /var/svn/access
  [groups]
  admin = Esmeralda Weatherwax, Nanny Ogg
  [lancre:/]
  @admin = rw
  Magrat Garlick = r

This looks rather sleek and it solved the case for me. One could
probably drop SSLOptions +StrictRequire, but it does not hurt to
keep it.

-- 
Mit freundlichen Grüßen / Sincerely
Dipl. Inform. Ralph Seichter
HORUS-IT
Ahornweg 10
D-57635 Oberirsen
Tel +49 2686 987880
Fax +49 2686 987889
http://horus-it.de/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue May 17 13:16:27 2005

This is an archived mail posted to the Subversion Users mailing list.