[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

SVN client SSL CRL configuration

From: <mskala_at_ansuz.sooke.bc.ca>
Date: Wed, 9 Apr 2014 09:56:26 -0500 (CDT)

I'm not subscribed to the list and would appreciate a cc: on any replies.

I run a Subversion server accessible through Apache HTTPS, and several
clients that connect to it, all under Linux, and I run my own CA
(certificate authority) to issue SSL certificates to all parties. When I
set it up, I made no provision for issuing and distributing CRLs
(certificate revocation lists), not expecting that to ever be a relevant
issue. My server was "heartbleed"-vulnerable and has now been patched for
that; but it appears that as a result of possible past compromise I have
to issue new certificates for all the parties and revoke the old ones.

My main question is: how do I get the Subversion command-line client to
read a CRL? The ssl-authority-files configuration setting lets me specify
my CA's root certificate in a file; is there a similar setting for the
CRL? I would prefer to distribute the CRL as a file (instead of a URL to
be checked automatically); is that possible? Or is it absolutely
necessary to post the CRL online somewhere and specify its URL in the root
certificate (which will require constructing a new root certificate and a
bunch of scripts to periodically re-issue and re-post the file). If it's
going to necessitate changes to the root certificate and frequent ongoing
maintenance, I might be better off just re-doing the entire public key
infrastructure from scratch, annoying as that will be.

Note I am specifically asking about the Subversion command-line client
running under Linux. I already know how to configure Apache to read the
CRL on the server side. All I've been able to find online regarding
*client-side* Subversion CRL use is Windows-specific.

-- 
Matthew Skala
mskala_at_ansuz.sooke.bc.ca                 People before principles.
http://ansuz.sooke.bc.ca/
Received on 2014-04-09 17:19:42 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.