On Sun, Mar 13, 2011 at 8:31 AM, Michael-O <1983-01-06_at_gmx.net> wrote:
> Hi folks,
>
> after configuring another server with svnserve over xinetd. I still do not
> completely understand the chapter on SASL encryption in the subversion
> manual.
>
> It says that SASL can do encryption for me. There are two options to
> configure SASL, one is saslauthd with handles authentication in plain text.
> This means that only Kerberos can be used securely. This option is not
> available for me anyway.
> The other one is the auxprop with sasldb. This is what I did. I chose
> DIGEST-MD5 for a shared secret mechnism. In this case the authentication can
> be plain text because no password is exchanged and the authentication
> procedure is secure.
> Does this mean that the svnserve.conf's min|max-encryption do a full
> /transport/ encryption?
>
> This point is not made clear enough in the manual. At no point there is
> stated what is actually configured: authentication or transport encryption.
>
> In terms of HTTP, the authentication happens inside the tunnel, so both is
> done. With Kerberos I can have authentication and transport optional.
All of this is explained in the RFC:
http://tools.ietf.org/html/rfc2831
The login negotiation is not encrypted. As part of the login process
the client and server can exchange information that allows the
subsequent conversation to be encrypted using information from the
login.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
Received on 2011-03-13 14:08:43 CET