[prev in list] [next in list] [prev in thread] [next in thread] 

List:       subversion-dev
Subject:    svnserve client authentication using certificates
From:       Sigfred =?iso-8859-1?q?H=E5versen?= <bsdlist () mumak ! com>
Date:       2004-10-31 20:22:38
Message-ID: 200410312122.38946.bsdlist () mumak ! com
[Download RAW message or body]

To my previous svnserve SSL patch, I've added authentication using client 
certificates. However, client management of certificates remains to be done 
and I'm unsure on how to proceed. More on that below.

A SSL enabled svnserve will now accept clients that does not have that 
capability, or does not want to use it. An exception, of course, is 
authentication using certificates. If both svnserve and the client supports 
ssl, a SSL handshake will be done.

A repo administrator will add users with certificates in a new section 
[certificates] in the svnserve password file :

[certificates]
username1 = <PEM encoded certificate>
username2 = <PEM encoded certificate>
....

I've added a new auth mech "SSL-CERT" that the server send when it wants the 
client to authenticate with a certificate. The authentication will only 
succeed if the client gives a valid username and certificate during the 
handshake. The authentication is done by checking that the client supplied 
certificate is signed by the corresponding certificate in password file. 

For the client certificate management there are two credentials that will be 
useful : SVN_AUTH_CRED_SSL_CLIENT_CERT and 
SVN_AUTH_CRED_SSL_CLIENT_CERT_PW. However, none of them supports caching. 
Since my client certificate authentication is a pair (username, certificate), 
it would be useful to have a "const char *username" member in 
svn_auth_cred_ssl_client_cert_t as well.

I could change the providers, but I don't want to risk breaking existing usage 
of those providers. Making a new credential seems wrong. Any ideas?

/Sigfred


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

[prev in list] [next in list] [prev in thread] [next in thread]