[prev in list] [next in list] [prev in thread] [next in thread] 

List:       subversion-dev
Subject:    Re: RFC: TLS support in svn protocol
From:       David Waite <mass () akuma ! org>
Date:       2004-07-11 12:11:23
Message-ID: 6D282F32-D333-11D8-B9CF-000A95C89D86 () akuma ! org
[Download RAW message or body]


On Jul 10, 2004, at 11:13 PM, Greg Hudson wrote:
>> the server ignores the `url' argument and responds with
>
> Here we have a dilemma.  Either:
>
>   * The client provides the URL before TLS negotiation, which allows 
> the
> server to use a different certificate and client cert database for each
> repository, but doesn't protect the URL from eavesdropping or
> modification.  (The URL could be specified again in the TLS-protected
> stream to prevent modification.)  Or,
>
>   * The client does not provide the URL before TLS negotiation, so the
> URL is protected.  But the server's certitificate and client cert db is
> fixed for all repositories.
>
I would suggest #2.

There already an extension to TLS defined to allow supplying a server 
name during the initial client 'hello' to the server, which allows the 
server to choose the certificate with which to reply. I do not think 
openssl supports this yet, however gnutls does.

-David Waite


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

[prev in list] [next in list] [prev in thread] [next in thread]