You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by "Moore, Tom" <To...@aig.com> on 2008/01/25 16:21:48 UTC
SVN and SSL
OK, trying to figure this out quickly
SVN is setup running 1.4.6,
Original SVN portion of apache conf was as follows:
<Location /svn>
DAV svn
SVNParentPath /home/test/svn
# Fancy, fancy
SVNIndexXSLT "/svnindex.xsl"
# Limit WRITE permission to list of valid users.
<LimitExcept GET PROPFIND OPTIONS REPORT>
AuthType Basic
AuthName test.com
AuthUserFile /home/test/etc/svn.basic.passwd
Require valid-user
AuthUserFile /home/test/etc/svn-access.conf
Satisfy Any
</LimitExcept>
</Location>
Worked fine... except we discuss some users working remotely are stuck
behind a proxy/firewall setup and can't access the repository using an
http:// based setup. So out come the books and searches and we
determine that we need to configure SSL.
New SVN portion:
SSLVerifyClient none
SSLVerifyDepth 10
<Location /svn>
DAV svn
SVNParentPath /home/test/svn
# Fancy, fancy
SVNIndexXSLT "/svnindex.xsl"
# Limit WRITE permission to list of valid users.
<LimitExcept GET PROPFIND OPTIONS REPORT>
SSLRequireSSL
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#
# "optional" makes it visible generally...
#
#SSLVerifyClient require
# SSLVerifyDepth must be >= the number of CA certificates in your
# SSLCACertificateFile.
#SSLVerifyDepth 10
# This actually is what makes everything work!!
SSLOptions +FakeBasicAuth
AuthType Basic
AuthName test.com
AuthUserFile /home/test/etc/svn.basic.passwd
Require valid-user
AuthUserFile /home/test/etc/svn-access.conf
Satisfy Any
</LimitExcept>
</Location>
We don't have a need for client certificate level security, and would
rather not have to deal with setting each user up with a certificate.
This scenario "works" in that it allows our users to access SVN, but
there are two issues that we need to deal with.
1) even though we set up SSL access, it is possible to access the
repository via the original http method, but writes/reports don't work.
Not a major problem in that we can just have everyone use https.
However, we don't want the confusion of being allowed to read the
repository via http, but not write to bite us. If theres any way to
block/redirect this (or even turn back on http based writes) I would
appreciate hearing it.
2) This one is more important. Ever since we set up SSL access,
the "author" of a change is no longer being recorded in the repository.
We need this. Again, trying to avoid client certs here, so if this is
possible, please let me know.
Tom Moore
tom.moore@aig.com