[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Making the svn client ignore optional client certificate requests

From: Max Spicer <mjs510_at_york.ac.uk>
Date: 2007-08-30 11:13:17 CEST

I am setting up a repository that is accessible only via https and only
to authenticated users. Most users log in via basic auth over https,
but some automated scripts need to log in with client certificates
instead. I've successfully set up my Apache 2.2 server and
mod_authz_svn to do what I need, but have run into problems with the way
the svn client responds to Apache's SSLVerifyClient optional. Whenever
I perform an svn command (e.g. co, ls, log etc) against an area
configured in this way, svn asks me to specify the Client certificate
filename. The majority of users don't have a client certificate, so
this is a problem - they have to press enter three times before the
prompt goes away, at which point the command just works, as svn has
already cached their perfectly acceptable basic auth credentials.

Here's an example session:

host0:~$ svn ls https://repos.example.com/repos
Authentication realm: https://repos.example.com:443
Client certificate filename: [user presses enter]
Authentication realm: https://repos.example.com:443
Client certificate filename: [user presses enter]
Authentication realm: https://repos.example.com:443
Client certificate filename: [user presses enter]
mainProject/
otherProject/
host0:~$

You can see that at the end the svn ls completes successfuly once the
user has finally got past the unnecessary filename prompts.

What I'd like to know is if there is anyway to suppress the Client
certificate filename prompts? I've tried various hacks with pointing
ssl-client-cert-file to empty or garbage files in the servers config
file but to no avail. I can't point it to an acceptable certificate as
the client doesn't have one. I have found an open bug on this that
would solve my problem -
http://subversion.tigris.org/issues/show_bug.cgi?id=2410. However, this
is quite old now. This talks about allowing the client to disable
client certificate requests altogether, which would certainly work.
Another solution would be to try basic auth login before assuming that a
client certificate has to be supplied.

For now, I'm just going to have to limit the directories that have
SSLVerifyClient Optional specified against them in order to minimise the
user disruption. I'd really appreciate any other tips that anyone could
offer.

Thanks,

Max Spicer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Aug 30 23:31:07 2007

This is an archived mail posted to the Subversion Users mailing list.