[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Can SVN be used with RF3820 user proxy certificates?

From: Joe Orton <jorton_at_redhat.com>
Date: Thu, 8 Oct 2009 08:59:44 +0100

On Mon, Oct 05, 2009 at 01:26:15PM -0400, Lewis E. Randerson wrote:
> Operating System: RHEL Client release 5.4 (Tikanga)
> Subversion version: svn, version 1.4.2 (r22196)
>
> Is it possible to use Proxy certificates generated using
> grid-proxy-init or myproxy-get-delegation with the svn command
> instead of pfx or p12 files. These proxies are "RF 3820 compliant.
> And the environment variable OPENSSL_ALLOW_PROXY_CERTS=1 has been set
> for the Apache server.
>
> The advantage is that private keys are not in these certificates.
> and also the certificates can have a limited life span set by the user.

I've not done any testing with proxy certs with neon (or SVN). My
understanding was that a proxy cert does have its own private key,
separate from the EE (user) cert that signed the proxy certificate -
checking again, that is what RFC 3280 says.

So I'm not sure what changes would be needed to neon/svn to support
proxy certs. AFAICT, "grid-proxy-init" is part of the Globus toolkit,
and it will spit out a proxy cert in OpenSSL PEM format, which can be
converted to PKCS#12:

  openssl pkcs12 -export -in proxy-cert.pem -out proxy-cert.p12

should work.

What might be a problem is that the server could require the complete
chain of client certs (EE cert, any intermediary proxies, proxy cert) to
be sent, which neon won't do currently.

Regards, Joe

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2404820

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-10-08 10:00:50 CEST

This is an archived mail posted to the Subversion Users mailing list.