Re: svn client & smartcard certificates

On Fri, Apr 18, 2008 at 10:43:20AM -0400, Van Deman, Quint CTR US USJFCOM J7 wrote:
> Spot on, that was my dumb mistake...
>
> Everything is working perfectly...both co & commits!

Great news. You can revert the pakchois debugging patch so you don't
get spammed by that too much ;)

> I will roll up a RHEL5 rpm to see if we can get this into a good useable
> for for the average user.
>
> 2 follow on questions:
> - When svn 1.5 is officially released, will these deps be up to an
> appropriate level for all of this to work, or are we still ahead of the
> curve?

The only issue is the pakchois patch needed for CoolKey. I'm not sure
whether this is a bug in CoolKey itself; I've asked our CoolKey guys.

> - Thoughts on a windows build? How is svn built for windows, cygwin?

There was a discussion of this a few days ago on the dev@ list.

I'm not a Windows expert, but I think you'd need to use the CryptoAPI in
place of PKCS#11; neon doesn't support that. It would be quite a bit of
work, though apparently someone is looking into it.

> As for the certificate acceptance, I have the DoD CA public cert in both
> PEM & DER format, just need to know where to drop it so neon will see
> it...

There are two choices here. You can configure Subversion to use it
manually, using the "ssl-authority-files" config option in
~/.subversion/servers.

Alternatively, when you build neon you can pass to configure:

   --with-ca-bundle=/path/to/certs.pem

and specify an absolute path of a PEM cert bundle. If you do that, all
the certs in that bundled will be trusted by default by Subversion.
(Normally, one would configure neon to use a system-wide CA root bundle
like /etc/pki/tls/cert.pem which includes the standard Internet PKI
roots.)

Regards,

joe

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-04-18 16:58:11 CEST