You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Philip Martin <ph...@codematters.co.uk> on 2018/07/25 14:08:38 UTC
ra_serf not storing client cert creds
I've noticed a feature that seems to be have been lost when we switched
from neon to serf: serf doesn't store the client cert creds. There are
two bits of data, the path to the pkcs12 file and the password for the
private key. The ra_serf library will prompt for these, if
config:auth:ssl-client-cert-file-prompt is set, but there is no code to
call svn_auth_save_credentials() and they do not get stored. The
ra_neon library did store them and all the relevant code is still
present in the providers.
I can't see any reason for dropping this feature so I think it should be
reinstated.
--
Philip
Re: ra_serf not storing client cert creds
Posted by Philip Martin <ph...@codematters.co.uk>.
Daniel Shahaf <d....@daniel.shahaf.name> writes:
> Not opposed to reinstating, but curious how come this regression hasn't
> been noticed until now. It has been just over five years since we
> dropped ra_neon (in 1.8.0). Did some distro only recently upgrade from
> 1.7 to 1.9 or something?
I suspect it wasn't reported earlier because a) few people use client
certs, b) the introduction of ssl-client-cert-file-prompt (issue 2410)
means that users must edit their config to be able to use a client cert
at all -- and when they do that they can simply set ssl-client-cert-file
and ssl-client-cert-file-password in the servers file and bypass the
storage problem. The user could still complain about storing the
password in the servers file, rather than the password stores, but users
may not recognise that as an issue.
--
Philip
Re: ra_serf not storing client cert creds
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Philip Martin wrote on Wed, 25 Jul 2018 15:08 +0100:
> I've noticed a feature that seems to be have been lost when we switched
> from neon to serf: serf doesn't store the client cert creds. There are
> two bits of data, the path to the pkcs12 file and the password for the
> private key. The ra_serf library will prompt for these, if
> config:auth:ssl-client-cert-file-prompt is set, but there is no code to
> call svn_auth_save_credentials() and they do not get stored. The
> ra_neon library did store them and all the relevant code is still
> present in the providers.
>
> I can't see any reason for dropping this feature so I think it should be
> reinstated.
Not opposed to reinstating, but curious how come this regression hasn't
been noticed until now. It has been just over five years since we
dropped ra_neon (in 1.8.0). Did some distro only recently upgrade from
1.7 to 1.9 or something?