[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Clarification on SASL encryption

From: Mark Phippard <markphip_at_gmail.com>
Date: Sun, 13 Mar 2011 09:08:10 -0400

On Sun, Mar 13, 2011 at 8:31 AM, Michael-O <1983-01-06_at_gmx.net> wrote:
> Hi folks,
>
> after configuring another server with svnserve over xinetd. I still do not
> completely understand the chapter on SASL encryption in the subversion
> manual.
>
> It says that SASL can do encryption for me. There are two options to
> configure SASL, one is saslauthd with handles authentication in plain text.
> This means that only Kerberos can be used securely. This option is not
> available for me anyway.
> The other one is the auxprop with sasldb. This is what I did. I chose
> DIGEST-MD5 for a shared secret mechnism. In this case the authentication can
> be plain text because no password is exchanged and the authentication
> procedure is secure.
> Does this mean that the svnserve.conf's min|max-encryption do a full
> /transport/ encryption?
>
> This point is not made clear enough in the manual. At no point there is
> stated what is actually configured: authentication or transport encryption.
>
> In terms of HTTP, the authentication happens inside the tunnel, so both is
> done. With Kerberos I can have authentication and transport optional.

All of this is explained in the RFC:

http://tools.ietf.org/html/rfc2831

The login negotiation is not encrypted. As part of the login process
the client and server can exchange information that allows the
subsequent conversation to be encrypted using information from the
login.

-- 
Thanks
Mark Phippard
http://markphip.blogspot.com/
Received on 2011-03-13 14:08:43 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.