[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Can SVN be used with RF3820 user proxy certificates?

From: Joe Orton <jorton_at_redhat.com>
Date: Thu, 8 Oct 2009 08:59:44 +0100

On Mon, Oct 05, 2009 at 01:26:15PM -0400, Lewis E. Randerson wrote:
> Operating System: RHEL Client release 5.4 (Tikanga)
> Subversion version: svn, version 1.4.2 (r22196)
> Is it possible to use Proxy certificates generated using
> grid-proxy-init or myproxy-get-delegation with the svn command
> instead of pfx or p12 files. These proxies are "RF 3820 compliant.
> And the environment variable OPENSSL_ALLOW_PROXY_CERTS=1 has been set
> for the Apache server.
> The advantage is that private keys are not in these certificates.
> and also the certificates can have a limited life span set by the user.

I've not done any testing with proxy certs with neon (or SVN). My
understanding was that a proxy cert does have its own private key,
separate from the EE (user) cert that signed the proxy certificate -
checking again, that is what RFC 3280 says.

So I'm not sure what changes would be needed to neon/svn to support
proxy certs. AFAICT, "grid-proxy-init" is part of the Globus toolkit,
and it will spit out a proxy cert in OpenSSL PEM format, which can be
converted to PKCS#12:

  openssl pkcs12 -export -in proxy-cert.pem -out proxy-cert.p12

should work.

What might be a problem is that the server could require the complete
chain of client certs (EE cert, any intermediary proxies, proxy cert) to
be sent, which neon won't do currently.

Regards, Joe


To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-10-08 10:00:50 CEST

This is an archived mail posted to the Subversion Users mailing list.