[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

SVN and SSL

From: Moore, Tom <Tom.Moore_at_aig.com>
Date: Fri, 25 Jan 2008 11:21:48 -0500

OK, trying to figure this out quickly

 

SVN is setup running 1.4.6,

 

Original SVN portion of apache conf was as follows:

 

<Location /svn>

   DAV svn

   SVNParentPath /home/test/svn

 

   # Fancy, fancy

   SVNIndexXSLT "/svnindex.xsl"

 

   # Limit WRITE permission to list of valid users.

   <LimitExcept GET PROPFIND OPTIONS REPORT>

       AuthType Basic

       AuthName test.com

       AuthUserFile /home/test/etc/svn.basic.passwd

       Require valid-user

       AuthUserFile /home/test/etc/svn-access.conf

       Satisfy Any

   </LimitExcept>

</Location>

 

Worked fine... except we discuss some users working remotely are stuck
behind a proxy/firewall setup and can't access the repository using an
http:// based setup. So out come the books and searches and we
determine that we need to configure SSL.

 

New SVN portion:

SSLVerifyClient none

SSLVerifyDepth 10

<Location /svn>

   DAV svn

   SVNParentPath /home/test/svn

 

   # Fancy, fancy

   SVNIndexXSLT "/svnindex.xsl"

 

   # Limit WRITE permission to list of valid users.

   <LimitExcept GET PROPFIND OPTIONS REPORT>

 

   SSLRequireSSL

 

   # Client Authentication (Type):

   # Client certificate verification type and depth. Types are

   # none, optional, require and optional_no_ca. Depth is a

   # number which specifies how deeply to verify the certificate

   # issuer chain before deciding the certificate is not valid.

   #

   # "optional" makes it visible generally...

   #

   #SSLVerifyClient require

 

   # SSLVerifyDepth must be >= the number of CA certificates in your

   # SSLCACertificateFile.

   #SSLVerifyDepth 10

 

   # This actually is what makes everything work!!

   SSLOptions +FakeBasicAuth

 

   AuthType Basic

   AuthName test.com

   AuthUserFile /home/test/etc/svn.basic.passwd

   Require valid-user

   AuthUserFile /home/test/etc/svn-access.conf

   Satisfy Any

   </LimitExcept>

</Location>

 

We don't have a need for client certificate level security, and would
rather not have to deal with setting each user up with a certificate.

 

This scenario "works" in that it allows our users to access SVN, but
there are two issues that we need to deal with.

 

1) even though we set up SSL access, it is possible to access the
repository via the original http method, but writes/reports don't work.
Not a major problem in that we can just have everyone use https.
However, we don't want the confusion of being allowed to read the
repository via http, but not write to bite us. If theres any way to
block/redirect this (or even turn back on http based writes) I would
appreciate hearing it.

2) This one is more important. Ever since we set up SSL access,
the "author" of a change is no longer being recorded in the repository.
We need this. Again, trying to avoid client certs here, so if this is
possible, please let me know.

 

 

Tom Moore

tom.moore_at_aig.com

 
Received on 2008-01-25 17:29:43 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.