[prev in list] [next in list] [prev in thread] [next in thread]
List: subversion-dev
Subject: Re: RFC: TLS support in svn protocol
From: David Waite <mass () akuma ! org>
Date: 2004-07-11 12:11:23
Message-ID: 6D282F32-D333-11D8-B9CF-000A95C89D86 () akuma ! org
[Download RAW message or body]
On Jul 10, 2004, at 11:13 PM, Greg Hudson wrote:
>> the server ignores the `url' argument and responds with
>
> Here we have a dilemma. Either:
>
> * The client provides the URL before TLS negotiation, which allows
> the
> server to use a different certificate and client cert database for each
> repository, but doesn't protect the URL from eavesdropping or
> modification. (The URL could be specified again in the TLS-protected
> stream to prevent modification.) Or,
>
> * The client does not provide the URL before TLS negotiation, so the
> URL is protected. But the server's certitificate and client cert db is
> fixed for all repositories.
>
I would suggest #2.
There already an extension to TLS defined to allow supplying a server
name during the initial client 'hello' to the server, which allows the
server to choose the certificate with which to reply. I do not think
openssl supports this yet, however gnutls does.
-David Waite
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic