You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@subversion.apache.org by Serge Bakkal <Se...@wanadoo.fr> on 2003/06/21 04:27:53 UTC

openssl X509 certificate based client authentification svn svncpp

Hi ,
How would we integrate X509 certificate based client authentification  (and
then bypass the apache basic authentifications ) ?
Has anyone begun working on this area  - or did I miss something and is it
an auth method already
provided with subversion ? -

Serge Bakkal


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: openssl X509 certificate based client authentification svn svncpp

Posted by "Martin v. Löwis" <ma...@v.loewis.de>.

"Serge Bakkal" <Se...@wanadoo.fr> writes:

> How would we integrate X509 certificate based client authentification  (and
> then bypass the apache basic authentifications ) ?
> Has anyone begun working on this area  - or did I miss something and is it
> an auth method already
> provided with subversion ? -

It's not provided in Subversion directly, but it works just fine with
mod_ssl. I recommend to read the mod_ssl documentation. Basically, you
need the directives

SSLVerifyClient require # maybe you want to use "optional"

Notice that this must be a top-level directive, i.e. it doesn't work
on the per-directory config, as SSL renegotiation just won't work with
requests that have bodies (such as PROPFIND). Therefore, we use
"optional", to allow other content to be accessed without client
authentication.

You then need

SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt

to list all the CAs whose certificates you trust.

For authorization in the repository, you need SSLRequire; we use
something like

SLRequire %{SSL_CLIENT_I_DN} eq "/C=DE/L=Potsdam/O=Hasso-Plattner-Institut/OU=OSM/CN=HPI OSM Client Authentication CA" && \
  %{SSL_CLIENT_S_DN_CN} in {"Martin von Loewis", \
    "Peter Troeger", "Michael Dirska"}

Notice that with that approach, unfortunately, user names don't get
logged. I recommend that you install mod_ssl_user.c, from

http://www.dcl.hpi.uni-potsdam.de/home/loewis/mod_ssl_user.c

Regards,
Martin

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org