RE: [Non-DoD Source] Re: using pkcs11 (CAC cards) with svn 1.8 and newer

From: Simpson, Andrew R CIV NSWC Crane, JXSNL <andrew.simpson_at_navy.mil>
Date: Thu, 10 Dec 2015 15:42:12 +0000

Hi Mark,

so to be clear, unless we re-roll the latest subversion clients with pakchois and neon, we're going to be unable to use pkcs11? That is a major issue for linux development in the DoD. I will also need to contact RedHat to see what their plans are, but RHEL 6 is still stuck at 1.6.

I can still use svn 1.6 and 1.7 with the newer subversion server. However, we have been seeing timeout issues when checking out of repositories and other quirks. Otherwise, yes, it does work with PKCS 11. the subversion provider has updated to 1.8 or 1.9 (can't remember). Since then, we have been experiencing issues with these timeouts every 5-12 minutes of a checkout.

Thanks!
________________________________
From: Mark Phippard [markphip_at_gmail.com]
Sent: Thursday, December 10, 2015 10:18 AM
To: Simpson, Andrew R CIV NSWC Crane, JXSNL
Cc: users_at_subversion.apache.org
Subject: [Non-DoD Source] Re: using pkcs11 (CAC cards) with svn 1.8 and newer

On Thu, Dec 10, 2015 at 9:34 AM, Simpson, Andrew R CIV NSWC Crane, JXSNL <andrew.simpson_at_navy.mil<mailto:andrew.simpson_at_navy.mil>> wrote:
I have been using svn 1.6 and 1.7 with PKCS11 Smart Cards for many years. with the removal of NEON from svn 1.8 and newer, I have been unable to use svn with pkcs11 certs/cards at all using RHEL 6.X. is there some configuration option that I'm missing?

I do not believe Serf has any support for this. Even with Neon on Linux I believe it required a custom build involving the pakchois library. On Windows, the pkcs11 support still works for Serf, but that is because it is provided via OpenSSL compile options that leverage the Windows support for smart cards. There is nothing similar on Linux.

does anyone know if it even works? It's a huge issue considering that our subversion server provider has updated to svn 1.9x and now the older clients don't play nice.

I would like to hear more details on this as it should not be true. Any SVN client version should work properly with a SVN 1.9 server. You should still be able to use 1.6 and 1.7 clients without any problems at all. There were no features added in SVN 1.9 that require a 1.9 client AND server:

http://subversion.apache.org/docs/release-notes/1.9.html#new-feature-compatibility-table

--
Thanks
Mark Phippard
http://markphip.blogspot.com/

Received on 2015-12-10 16:42:45 CET

This message: [ Message body ]
Next message: Mark Phippard: "Re: [Non-DoD Source] Re: using pkcs11 (CAC cards) with svn 1.8 and newer"
Previous message: Mark Phippard: "Re: using pkcs11 (CAC cards) with svn 1.8 and newer"
In reply to: Mark Phippard: "Re: using pkcs11 (CAC cards) with svn 1.8 and newer"
Next in thread: Mark Phippard: "Re: [Non-DoD Source] Re: using pkcs11 (CAC cards) with svn 1.8 and newer"
Reply: Mark Phippard: "Re: [Non-DoD Source] Re: using pkcs11 (CAC cards) with svn 1.8 and newer"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]