You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by "Wesley J. Landaker" <wj...@icecavern.net> on 2006/04/26 14:20:17 UTC
svnserve TLS support?
Hi folks,
I see issue #1144 about integrating SASL into svnserve for authentication.
Has anyone considered also supporting TLS to allow security for the entire
svnserve connection, on par with what is provided currently for https?
Some advantages of having svnserve support TLS upgrading:
* Works well with SASL, used in imaps, smtps, xmpp, ldap, etc.
* Provides consistent transport security (vs. using SASL alone)
* TLS is a draft internet standard that is already widely deployed.
* Open source TLS libraries available, compatible with Subversion license:
* GNU TLS <http://www.gnu.org/software/gnutls/> is LGPL'd.
* OpenSSL <http://www.openssl.org/> is under an Apache-style license.
* Doesn't require an extra IANA port (vs. using straight SSL)
* (Since we should, as recommended, use an upgrade-to-TLS mechanism.)
Anyway, just wondering if anyone else has considered this, and/or if anyone
is interested in working on this. =)
Also, as a separate but related issue, it would also be nice to support HTTP
TLS upgrading when using http (RFC 2817); I don't think this is already
supported, but I haven't checked.)
--
Wesley J. Landaker <wj...@icecavern.net> <xm...@icecavern.net>
OpenPGP FP: 4135 2A3B 4726 ACC5 9094 0097 F0A9 8A4C 4CD6 E3D2
Re: svnserve TLS support?
Posted by Michael Sweet <mi...@easysw.com>.
Wesley J. Landaker wrote:
> On Wednesday 26 April 2006 09:01, Michael Sweet wrote:
>> Wesley J. Landaker wrote:
>>> ...
>>> Also, as a separate but related issue, it would also be nice to support
>>> HTTP TLS upgrading when using http (RFC 2817); I don't think this is
>>> already supported, but I haven't checked.)
>> There *are* issues with HTTP Upgrade that may be non-trivial to deal
>> with in Neon and Serf; basically, server-initiated upgrades can
>> happen too late to provide protection of sensitive information, so
>> you need to tweak the client code a little to work around it...
>>
>> We use the "Expect: 100-continue" header in CUPS to get the 426
>> response before sending the request body...
>
> So, assuming this support was desired, is that something that would/should
> be changed in Subversion, or in Neon, or both? I understand what you're
> saying about server-initiated upgrades, I'm just not very familiar with how
> much of this is controlled by libraries (i.e. Neon) and how much by
> Subversion itself (i.e. libsvn_ra_dav).
That I can't answer, but I'm sure one of the core developers will
pipe in! :)
--
______________________________________________________________________
Michael Sweet, Easy Software Products mike at easysw dot com
Internet Printing and Document Software http://www.easysw.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnserve TLS support?
Posted by "Wesley J. Landaker" <wj...@icecavern.net>.
On Wednesday 26 April 2006 09:01, Michael Sweet wrote:
> Wesley J. Landaker wrote:
> > ...
> > Also, as a separate but related issue, it would also be nice to support
> > HTTP TLS upgrading when using http (RFC 2817); I don't think this is
> > already supported, but I haven't checked.)
>
> There *are* issues with HTTP Upgrade that may be non-trivial to deal
> with in Neon and Serf; basically, server-initiated upgrades can
> happen too late to provide protection of sensitive information, so
> you need to tweak the client code a little to work around it...
>
> We use the "Expect: 100-continue" header in CUPS to get the 426
> response before sending the request body...
So, assuming this support was desired, is that something that would/should
be changed in Subversion, or in Neon, or both? I understand what you're
saying about server-initiated upgrades, I'm just not very familiar with how
much of this is controlled by libraries (i.e. Neon) and how much by
Subversion itself (i.e. libsvn_ra_dav).
--
Wesley J. Landaker <wj...@icecavern.net> <xm...@icecavern.net>
OpenPGP FP: 4135 2A3B 4726 ACC5 9094 0097 F0A9 8A4C 4CD6 E3D2
Re: svnserve TLS support?
Posted by Michael Sweet <mi...@easysw.com>.
Wesley J. Landaker wrote:
> ...
> Also, as a separate but related issue, it would also be nice to support HTTP
> TLS upgrading when using http (RFC 2817); I don't think this is already
> supported, but I haven't checked.)
There *are* issues with HTTP Upgrade that may be non-trivial to deal
with in Neon and Serf; basically, server-initiated upgrades can
happen too late to provide protection of sensitive information, so
you need to tweak the client code a little to work around it...
We use the "Expect: 100-continue" header in CUPS to get the 426
response before sending the request body...
--
______________________________________________________________________
Michael Sweet, Easy Software Products mike at easysw dot com
Internet Printing and Document Software http://www.easysw.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnserve TLS support?
Posted by "Wesley J. Landaker" <wj...@icecavern.net>.
On Wednesday 26 April 2006 09:15, Max Bowsher wrote:
> The presence of (and recent commits to)
> http://svn.collab.net/repos/svn/branches/svnserve-ssl/ should be a big
> clue! :-)
On Wednesday 26 April 2006 09:19, Marcus Rueckert wrote:
> this is WIP: http://svn.collab.net/repos/svn/branches/svnserve-ssl/
Well, that's what I get for searching around for open issues and tasks
instead of looking in the repository directly!
Anyway, I'm thrilled to know this is happening. Is there any way I could
help at this point?
--
Wesley J. Landaker <wj...@icecavern.net> <xm...@icecavern.net>
OpenPGP FP: 4135 2A3B 4726 ACC5 9094 0097 F0A9 8A4C 4CD6 E3D2
Re: svnserve TLS support?
Posted by Max Bowsher <ma...@ukf.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Wesley J. Landaker wrote:
> Has anyone considered also supporting TLS to allow security for the entire
> svnserve connection,
The presence of (and recent commits to)
http://svn.collab.net/repos/svn/branches/svnserve-ssl/ should be a big
clue! :-)
Max.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (Cygwin)
iD8DBQFET46LfFNSmcDyxYARAhSAAKDg9v8UB4R8XMu+SFLjWY6WbtrAdwCeJWto
ljgnpDg23ATwrGridGJaEd4=
=7bKm
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svnserve TLS support?
Posted by Marcus Rueckert <da...@web.de>.
On 2006-04-26 08:20:17 -0600, Wesley J. Landaker wrote:
> I see issue #1144 about integrating SASL into svnserve for authentication.
> Has anyone considered also supporting TLS to allow security for the entire
> svnserve connection, on par with what is provided currently for https?
>
> Some advantages of having svnserve support TLS upgrading:
> * Works well with SASL, used in imaps, smtps, xmpp, ldap, etc.
> * Provides consistent transport security (vs. using SASL alone)
> * TLS is a draft internet standard that is already widely deployed.
> * Open source TLS libraries available, compatible with Subversion license:
> * GNU TLS <http://www.gnu.org/software/gnutls/> is LGPL'd.
> * OpenSSL <http://www.openssl.org/> is under an Apache-style license.
> * Doesn't require an extra IANA port (vs. using straight SSL)
> * (Since we should, as recommended, use an upgrade-to-TLS mechanism.)
>
> Anyway, just wondering if anyone else has considered this, and/or if anyone
> is interested in working on this. =)
>
> Also, as a separate but related issue, it would also be nice to support HTTP
> TLS upgrading when using http (RFC 2817); I don't think this is already
> supported, but I haven't checked.)
this is WIP: http://svn.collab.net/repos/svn/branches/svnserve-ssl/
--
openSUSE - SUSE Linux is my linux
openSUSE is good for you
www.opensuse.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org