SVN client SSL CRL configuration

[ms...@ansuz.sooke.bc.ca]

I'm not subscribed to the list and would appreciate a cc: on any replies.

I run a Subversion server accessible through Apache HTTPS, and several
clients that connect to it, all under Linux, and I run my own CA
(certificate authority) to issue SSL certificates to all parties.  When I
set it up, I made no provision for issuing and distributing CRLs
(certificate revocation lists), not expecting that to ever be a relevant
issue.  My server was "heartbleed"-vulnerable and has now been patched for
that; but it appears that as a result of possible past compromise I have
to issue new certificates for all the parties and revoke the old ones.

My main question is:  how do I get the Subversion command-line client to
read a CRL?  The ssl-authority-files configuration setting lets me specify
my CA's root certificate in a file; is there a similar setting for the
CRL?  I would prefer to distribute the CRL as a file (instead of a URL to
be checked automatically); is that possible?  Or is it absolutely
necessary to post the CRL online somewhere and specify its URL in the root
certificate (which will require constructing a new root certificate and a
bunch of scripts to periodically re-issue and re-post the file).  If it's
going to necessitate changes to the root certificate and frequent ongoing
maintenance, I might be better off just re-doing the entire public key
infrastructure from scratch, annoying as that will be.

Note I am specifically asking about the Subversion command-line client
running under Linux.  I already know how to configure Apache to read the
CRL on the server side.  All I've been able to find online regarding
*client-side* Subversion CRL use is Windows-specific.
-- 
Matthew Skala
mskala@ansuz.sooke.bc.ca                 People before principles.
http://ansuz.sooke.bc.ca/

Re: SVN client SSL CRL configuration

[Ben Reser <be...@reser.org>]

On 4/9/14, 7:56 AM, mskala@ansuz.sooke.bc.ca wrote:
> My main question is:  how do I get the Subversion command-line client to
> read a CRL?  The ssl-authority-files configuration setting lets me specify
> my CA's root certificate in a file; is there a similar setting for the
> CRL?  I would prefer to distribute the CRL as a file (instead of a URL to
> be checked automatically); is that possible?  Or is it absolutely
> necessary to post the CRL online somewhere and specify its URL in the root
> certificate (which will require constructing a new root certificate and a
> bunch of scripts to periodically re-issue and re-post the file).  If it's
> going to necessitate changes to the root certificate and frequent ongoing
> maintenance, I might be better off just re-doing the entire public key
> infrastructure from scratch, annoying as that will be.
> 
> Note I am specifically asking about the Subversion command-line client
> running under Linux.  I already know how to configure Apache to read the
> CRL on the server side.  All I've been able to find online regarding
> *client-side* Subversion CRL use is Windows-specific.

If you haven't seen it already we published a message on this over the weekend:

https://mail-archives.apache.org/mod_mbox/subversion-announce/201404.mbox/%3C5349F1B7.1090306%40apache.org%3E

Unfortunately I missed mentioning the state of Windows where it does fall back
and support CRLs (see Bert's reply to your message).

Unfortunately, the work around I had hoped last week would work for you ended
up not working out.  Primarily because OpenSSL needs a flag set to even support
CRL checking at all and it's not set by default.

Wish we had a better option for you.  But it looks like starting with a fresh
CA is probably your best option.

RE: SVN client SSL CRL configuration

[Bert Huijben <be...@qqmail.nl>]

> -----Original Message-----
> From: Ben Reser [mailto:ben@reser.org]
> Sent: woensdag 9 april 2014 21:28
> To: mskala@ansuz.sooke.bc.ca; users@subversion.apache.org
> Subject: Re: SVN client SSL CRL configuration
> 
> On 4/9/14, 8:56 AM, mskala@ansuz.sooke.bc.ca wrote:
> > I'm not subscribed to the list and would appreciate a cc: on any
replies.
> >
> > I run a Subversion server accessible through Apache HTTPS, and several
> > clients that connect to it, all under Linux, and I run my own CA
> > (certificate authority) to issue SSL certificates to all parties.  When
I
> > set it up, I made no provision for issuing and distributing CRLs
> > (certificate revocation lists), not expecting that to ever be a relevant
> > issue.  My server was "heartbleed"-vulnerable and has now been patched
> for
> > that; but it appears that as a result of possible past compromise I have
> > to issue new certificates for all the parties and revoke the old ones.
> >
> > My main question is:  how do I get the Subversion command-line client to
> > read a CRL?  The ssl-authority-files configuration setting lets me
specify
> > my CA's root certificate in a file; is there a similar setting for the
> > CRL?  I would prefer to distribute the CRL as a file (instead of a URL
to
> > be checked automatically); is that possible?  Or is it absolutely
> > necessary to post the CRL online somewhere and specify its URL in the
root
> > certificate (which will require constructing a new root certificate and
a
> > bunch of scripts to periodically re-issue and re-post the file).  If
it's
> > going to necessitate changes to the root certificate and frequent
ongoing
> > maintenance, I might be better off just re-doing the entire public key
> > infrastructure from scratch, annoying as that will be.
> >
> > Note I am specifically asking about the Subversion command-line client
> > running under Linux.  I already know how to configure Apache to read the
> > CRL on the server side.  All I've been able to find online regarding
> > *client-side* Subversion CRL use is Windows-specific.
> 
> The answer unfortunately is that currently we don't support CRLs.
However,
> we
> may have a workaround.  We're investigating currently and will follow up
> with
> more info soon.

On Windows this is not the entire story: If you didn't explicitly accept the
certificate in Subversion (or via a custom openssl config), but
automatically accept it via the Windows Crypto API and its certificate
store, then CRLs are used... 

So you would see Subversion prompt for an untrusted certificate in case the
certificate is revoked.

	Bert

Re: SVN client SSL CRL configuration

[Ben Reser <be...@reser.org>]

On 4/9/14, 8:56 AM, mskala@ansuz.sooke.bc.ca wrote:
> I'm not subscribed to the list and would appreciate a cc: on any replies.
> 
> I run a Subversion server accessible through Apache HTTPS, and several
> clients that connect to it, all under Linux, and I run my own CA
> (certificate authority) to issue SSL certificates to all parties.  When I
> set it up, I made no provision for issuing and distributing CRLs
> (certificate revocation lists), not expecting that to ever be a relevant
> issue.  My server was "heartbleed"-vulnerable and has now been patched for
> that; but it appears that as a result of possible past compromise I have
> to issue new certificates for all the parties and revoke the old ones.
> 
> My main question is:  how do I get the Subversion command-line client to
> read a CRL?  The ssl-authority-files configuration setting lets me specify
> my CA's root certificate in a file; is there a similar setting for the
> CRL?  I would prefer to distribute the CRL as a file (instead of a URL to
> be checked automatically); is that possible?  Or is it absolutely
> necessary to post the CRL online somewhere and specify its URL in the root
> certificate (which will require constructing a new root certificate and a
> bunch of scripts to periodically re-issue and re-post the file).  If it's
> going to necessitate changes to the root certificate and frequent ongoing
> maintenance, I might be better off just re-doing the entire public key
> infrastructure from scratch, annoying as that will be.
> 
> Note I am specifically asking about the Subversion command-line client
> running under Linux.  I already know how to configure Apache to read the
> CRL on the server side.  All I've been able to find online regarding
> *client-side* Subversion CRL use is Windows-specific.

The answer unfortunately is that currently we don't support CRLs.  However, we
may have a workaround.  We're investigating currently and will follow up with
more info soon.