[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: svn client & smartcard certificates

From: Van Deman, Quint CTR US USJFCOM J7 <quint.vandeman_at_att.jfcom.mil>
Date: Fri, 18 Apr 2008 11:28:44 -0400

Sounds great Joe, I'll try to keep tabs on it, but as you here anything
related to the CryptoAPI work if you could shoot it my way I'd
appreciate it. I'm obviously not a windows guy either, but invariably
there are folks out there in DOD land developing on windows and we can't
totally shut them out long term.

I'll append the DOD CA certs to /etc/pki/tls/cert.pem, recompile neon
with the ca-bundle switch and see if that takes care of the cert trust
issue.

Thanks again for all of your help!

-Quint

-----Original Message-----
From: Joe Orton [mailto:jorton_at_redhat.com]
Sent: Friday, April 18, 2008 10:57 AM
To: Van Deman, Quint CTR US USJFCOM J7
Cc: Calahan, Joshua A CTR USAF AFMC AEDC/ATA; Smith, Barbara CTR US
USJFCOM J7; users_at_subversion.tigris.org
Subject: Re: svn client & smartcard certificates

On Fri, Apr 18, 2008 at 10:43:20AM -0400, Van Deman, Quint CTR US
USJFCOM J7 wrote:
> Spot on, that was my dumb mistake...
>
> Everything is working perfectly...both co & commits!

Great news. You can revert the pakchois debugging patch so you don't
get spammed by that too much ;)

> I will roll up a RHEL5 rpm to see if we can get this into a good
useable
> for for the average user.
>
> 2 follow on questions:
> - When svn 1.5 is officially released, will these deps be up to an
> appropriate level for all of this to work, or are we still ahead of
the
> curve?

The only issue is the pakchois patch needed for CoolKey. I'm not sure
whether this is a bug in CoolKey itself; I've asked our CoolKey guys.

> - Thoughts on a windows build? How is svn built for windows, cygwin?

There was a discussion of this a few days ago on the dev@ list.

I'm not a Windows expert, but I think you'd need to use the CryptoAPI in

place of PKCS#11; neon doesn't support that. It would be quite a bit of

work, though apparently someone is looking into it.

> As for the certificate acceptance, I have the DoD CA public cert in
both
> PEM & DER format, just need to know where to drop it so neon will see
> it...

There are two choices here. You can configure Subversion to use it
manually, using the "ssl-authority-files" config option in
~/.subversion/servers.

Alternatively, when you build neon you can pass to configure:

   --with-ca-bundle=/path/to/certs.pem

and specify an absolute path of a PEM cert bundle. If you do that, all
the certs in that bundled will be trusted by default by Subversion.
(Normally, one would configure neon to use a system-wide CA root bundle
like /etc/pki/tls/cert.pem which includes the standard Internet PKI
roots.)

Regards,

joe

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-04-18 17:57:44 CEST

This is an archived mail posted to the Subversion Users mailing list.