using pkcs11 (CAC cards) with svn 1.8 and newer

["Simpson, Andrew R CIV NSWC Crane, JXSNL" <an...@navy.mil>]

I have been using svn 1.6 and 1.7 with PKCS11 Smart Cards for many years.  with the removal of NEON from svn 1.8 and newer, I have been unable to use svn with pkcs11 certs/cards at all using RHEL 6.X.  is there some configuration option that I'm missing?  does anyone know if it even works?  It's a huge issue considering that our subversion server provider has updated to svn 1.9x and now the older clients don't play nice.

Thanks!

RE: [Non-DoD Source] Re: using pkcs11 (CAC cards) with svn 1.8 and newer

["Simpson, Andrew R CIV NSWC Crane, JXSNL" <an...@navy.mil>]

roger that.  I appreciate you taking the time to discuss this.  I have pushed it back to my contacts at forge already.

-Andrew
________________________________
From: Mark Phippard [markphip@gmail.com]
Sent: Thursday, December 10, 2015 11:26 AM
To: Simpson, Andrew R CIV NSWC Crane, JXSNL
Cc: users@subversion.apache.org
Subject: Re: [Non-DoD Source] Re: using pkcs11 (CAC cards) with svn 1.8 and newer

On Thu, Dec 10, 2015 at 11:03 AM, Simpson, Andrew R CIV NSWC Crane, JXSNL <an...@navy.mil>> wrote:
I'd love to, but I have to be "allowed" to :)  I will push within DoD circles.

The issue with newer versus older was indicated by our server provider (forge.mil<http://forge.mil>).

I provide the software that forge.mil<http://forge.mil> is built from -- TeamForge.  If it has been upgraded recently than it would be on SVN 1.8.x on the server as that is the latest version we provide.

  I'm only rehashing what they stated, although I should be clear that was in regards to tortoiseSVN.  We did see issues specifically with regards to tortoise using older versions that did seem to go away by upgrading to the latest client in those cases on windows.

I do believe, however, that the timeouts may be caused by either A) configuration of the svn server or B) the network setup of the server provider.

Thanks again for the info.  much appreciated.  Will take a look into what's required to modify serf to support this.

Setting a side the CAC issues which are specific to forge.mil<http://forge.mil>, a large percentage of users use SVN 1.6/1.7 clients simply because they use what comes with their distro.  As you point out, RHEL6 provides SVN 1.6 so we see a lot of that.  There should be no issues specific to the client/server versions.  You should be fine using SVN 1.6.  Any timeout problems you are having are not because of the client version.

If these started after the upgrade, then I would guess there was some configuration that changed that was overlooked.

--
Thanks

Mark Phippard
http://markphip.blogspot.com/

Re: [Non-DoD Source] Re: using pkcs11 (CAC cards) with svn 1.8 and newer

[Mark Phippard <ma...@gmail.com>]

Here is the relevant Serf issue on this topic:

https://issues.apache.org/jira/browse/SERF-27

On Thu, Dec 10, 2015 at 11:26 AM, Mark Phippard <ma...@gmail.com> wrote:

> On Thu, Dec 10, 2015 at 11:03 AM, Simpson, Andrew R CIV NSWC Crane, JXSNL
> <an...@navy.mil> wrote:
>
>> I'd love to, but I have to be "allowed" to :)  I will push within DoD
>> circles.
>>
>> The issue with newer versus older was indicated by our server provider (
>> forge.mil).
>
>
> I provide the software that forge.mil is built from -- TeamForge.  If it
> has been upgraded recently than it would be on SVN 1.8.x on the server as
> that is the latest version we provide.
>
>
>>   I'm only rehashing what they stated, although I should be clear that
>> was in regards to tortoiseSVN.  We did see issues specifically with regards
>> to tortoise using older versions that did seem to go away by upgrading to
>> the latest client in those cases on windows.
>>
>> I do believe, however, that the timeouts may be caused by either A)
>> configuration of the svn server or B) the network setup of the server
>> provider.
>>
>> Thanks again for the info.  much appreciated.  Will take a look into
>> what's required to modify serf to support this.
>>
>
> Setting a side the CAC issues which are specific to forge.mil, a large
> percentage of users use SVN 1.6/1.7 clients simply because they use what
> comes with their distro.  As you point out, RHEL6 provides SVN 1.6 so we
> see a lot of that.  There should be no issues specific to the client/server
> versions.  You should be fine using SVN 1.6.  Any timeout problems you are
> having are not because of the client version.
>
> If these started after the upgrade, then I would guess there was some
> configuration that changed that was overlooked.
>
> --
> Thanks
>
> Mark Phippard
> http://markphip.blogspot.com/
>



-- 
Thanks

Mark Phippard
http://markphip.blogspot.com/

Re: [Non-DoD Source] Re: using pkcs11 (CAC cards) with svn 1.8 and newer

[Mark Phippard <ma...@gmail.com>]

On Thu, Dec 10, 2015 at 11:03 AM, Simpson, Andrew R CIV NSWC Crane, JXSNL <
andrew.simpson@navy.mil> wrote:

> I'd love to, but I have to be "allowed" to :)  I will push within DoD
> circles.
>
> The issue with newer versus older was indicated by our server provider (
> forge.mil).


I provide the software that forge.mil is built from -- TeamForge.  If it
has been upgraded recently than it would be on SVN 1.8.x on the server as
that is the latest version we provide.


>   I'm only rehashing what they stated, although I should be clear that was
> in regards to tortoiseSVN.  We did see issues specifically with regards to
> tortoise using older versions that did seem to go away by upgrading to the
> latest client in those cases on windows.
>
> I do believe, however, that the timeouts may be caused by either A)
> configuration of the svn server or B) the network setup of the server
> provider.
>
> Thanks again for the info.  much appreciated.  Will take a look into
> what's required to modify serf to support this.
>

Setting a side the CAC issues which are specific to forge.mil, a large
percentage of users use SVN 1.6/1.7 clients simply because they use what
comes with their distro.  As you point out, RHEL6 provides SVN 1.6 so we
see a lot of that.  There should be no issues specific to the client/server
versions.  You should be fine using SVN 1.6.  Any timeout problems you are
having are not because of the client version.

If these started after the upgrade, then I would guess there was some
configuration that changed that was overlooked.

-- 
Thanks

Mark Phippard
http://markphip.blogspot.com/

RE: [Non-DoD Source] Re: using pkcs11 (CAC cards) with svn 1.8 and newer

["Simpson, Andrew R CIV NSWC Crane, JXSNL" <an...@navy.mil>]

I'd love to, but I have to be "allowed" to :)  I will push within DoD circles.

The issue with newer versus older was indicated by our server provider (forge.mil).  I'm only rehashing what they stated, although I should be clear that was in regards to tortoiseSVN.  We did see issues specifically with regards to tortoise using older versions that did seem to go away by upgrading to the latest client in those cases on windows.

I do believe, however, that the timeouts may be caused by either A) configuration of the svn server or B) the network setup of the server provider.

Thanks again for the info.  much appreciated.  Will take a look into what's required to modify serf to support this.

-Andrew
________________________________
From: Mark Phippard [markphip@gmail.com]
Sent: Thursday, December 10, 2015 10:54 AM
To: Simpson, Andrew R CIV NSWC Crane, JXSNL
Cc: users@subversion.apache.org
Subject: Re: [Non-DoD Source] Re: using pkcs11 (CAC cards) with svn 1.8 and newer

On Thu, Dec 10, 2015 at 10:42 AM, Simpson, Andrew R CIV NSWC Crane, JXSNL <an...@navy.mil>> wrote:
Hi Mark,

so to be clear, unless we re-roll the latest subversion clients with pakchois and neon, we're going to be unable to use pkcs11?  That is a major issue for linux development in the DoD.  I will also need to contact RedHat to see what their plans are, but RHEL 6 is still stuck at 1.6.

Neon support was removed with SVN 1.8.  You are stuck on SVN 1.7 or earlier for your clients.  I am sure the Apache Serf project would welcome contributions of PKCS11 support for Linux.  If this is important to the DoD ... contribute resources.  It is not like the average open source developer has access to a CAC environment to work on something like this.

http://serf.apache.org


I can still use svn 1.6 and 1.7 with the newer subversion server.  However, we have been seeing timeout issues when checking out of repositories and other quirks.  Otherwise, yes, it does work with PKCS 11.  the subversion provider has updated to 1.8 or 1.9 (can't remember).  Since then, we have been experiencing issues with these timeouts every 5-12 minutes of a checkout.


There is no reason to believe that a newer client version will make any difference for a problem like this.   The version of Subversion on the server is not the most likely reason for timeouts.

--
Thanks

Mark Phippard
http://markphip.blogspot.com/

Re: [Non-DoD Source] Re: using pkcs11 (CAC cards) with svn 1.8 and newer

[Mark Phippard <ma...@gmail.com>]

On Thu, Dec 10, 2015 at 10:42 AM, Simpson, Andrew R CIV NSWC Crane, JXSNL <
andrew.simpson@navy.mil> wrote:

> Hi Mark,
>
> so to be clear, unless we re-roll the latest subversion clients with
> pakchois and neon, we're going to be unable to use pkcs11?  That is a major
> issue for linux development in the DoD.  I will also need to contact RedHat
> to see what their plans are, but RHEL 6 is still stuck at 1.6.
>

Neon support was removed with SVN 1.8.  You are stuck on SVN 1.7 or earlier
for your clients.  I am sure the Apache Serf project would welcome
contributions of PKCS11 support for Linux.  If this is important to the DoD
... contribute resources.  It is not like the average open source developer
has access to a CAC environment to work on something like this.

http://serf.apache.org



> I can still use svn 1.6 and 1.7 with the newer subversion server.
> However, we have been seeing timeout issues when checking out of
> repositories and other quirks.  Otherwise, yes, it does work with PKCS 11.
> the subversion provider has updated to 1.8 or 1.9 (can't remember).  Since
> then, we have been experiencing issues with these timeouts every 5-12
> minutes of a checkout.
>
>
There is no reason to believe that a newer client version will make any
difference for a problem like this.   The version of Subversion on the
server is not the most likely reason for timeouts.

-- 
Thanks

Mark Phippard
http://markphip.blogspot.com/

RE: [Non-DoD Source] Re: using pkcs11 (CAC cards) with svn 1.8 and newer

["Simpson, Andrew R CIV NSWC Crane, JXSNL" <an...@navy.mil>]

Hi Mark,

so to be clear, unless we re-roll the latest subversion clients with pakchois and neon, we're going to be unable to use pkcs11?  That is a major issue for linux development in the DoD.  I will also need to contact RedHat to see what their plans are, but RHEL 6 is still stuck at 1.6.

I can still use svn 1.6 and 1.7 with the newer subversion server.  However, we have been seeing timeout issues when checking out of repositories and other quirks.  Otherwise, yes, it does work with PKCS 11.  the subversion provider has updated to 1.8 or 1.9 (can't remember).  Since then, we have been experiencing issues with these timeouts every 5-12 minutes of a checkout.

Thanks!
________________________________
From: Mark Phippard [markphip@gmail.com]
Sent: Thursday, December 10, 2015 10:18 AM
To: Simpson, Andrew R CIV NSWC Crane, JXSNL
Cc: users@subversion.apache.org
Subject: [Non-DoD Source] Re: using pkcs11 (CAC cards) with svn 1.8 and newer

On Thu, Dec 10, 2015 at 9:34 AM, Simpson, Andrew R CIV NSWC Crane, JXSNL <an...@navy.mil>> wrote:
I have been using svn 1.6 and 1.7 with PKCS11 Smart Cards for many years.  with the removal of NEON from svn 1.8 and newer, I have been unable to use svn with pkcs11 certs/cards at all using RHEL 6.X.  is there some configuration option that I'm missing?

I do not believe Serf has any support for this.  Even with Neon on Linux I believe it required a custom build involving the pakchois library.  On Windows, the pkcs11 support still works for Serf, but that is because it is provided via OpenSSL compile options that leverage the Windows support for smart cards.  There is nothing similar on Linux.

does anyone know if it even works?  It's a huge issue considering that our subversion server provider has updated to svn 1.9x and now the older clients don't play nice.


I would like to hear more details on this as it should not be true.  Any SVN client version should work properly with a SVN 1.9 server.  You should still be able to use 1.6 and 1.7 clients without any problems at all. There were no features added in SVN 1.9 that require a 1.9 client AND server:

http://subversion.apache.org/docs/release-notes/1.9.html#new-feature-compatibility-table

--
Thanks

Mark Phippard
http://markphip.blogspot.com/

Re: using pkcs11 (CAC cards) with svn 1.8 and newer

[Mark Phippard <ma...@gmail.com>]

On Thu, Dec 10, 2015 at 9:34 AM, Simpson, Andrew R CIV NSWC Crane, JXSNL <
andrew.simpson@navy.mil> wrote:

> I have been using svn 1.6 and 1.7 with PKCS11 Smart Cards for many years.
> with the removal of NEON from svn 1.8 and newer, I have been unable to use
> svn with pkcs11 certs/cards at all using RHEL 6.X.  is there some
> configuration option that I'm missing?


I do not believe Serf has any support for this.  Even with Neon on Linux I
believe it required a custom build involving the pakchois library.  On
Windows, the pkcs11 support still works for Serf, but that is because it is
provided via OpenSSL compile options that leverage the Windows support for
smart cards.  There is nothing similar on Linux.

does anyone know if it even works?  It's a huge issue considering that our
> subversion server provider has updated to svn 1.9x and now the older
> clients don't play nice.
>
>
I would like to hear more details on this as it should not be true.  Any
SVN client version should work properly with a SVN 1.9 server.  You should
still be able to use 1.6 and 1.7 clients without any problems at all. There
were no features added in SVN 1.9 that require a 1.9 client AND server:

http://subversion.apache.org/docs/release-notes/1.9.html#new-feature-compatibility-table

-- 
Thanks

Mark Phippard
http://markphip.blogspot.com/