- FAQ
- I think I found a bug in TortoiseSVN!
- Installation & Upgrade
- Overlay icons
- Authentication
- Daily Use
- Feature Requests
- Known problems on Vista
- Other Tools
- SSH / SSL
- Does TortoiseSVN support SSH?
- Subversion / TortoiseSVN SSH HowTo
- SVN+SSH+public key authentication on Windows Box as server
- How do I get client certificates to work?
- How do I disable http access once https is working?
- How do I re-configure the client certificate for Tortoise SVN?
- I am getting the password dialog over and over again
- PuTTY keeps showing 'Invalid port number'
- Error Messages
- Why do comments sometimes get deleted from this website?
- Why did you name it TortoiseSVN?
- I love TortoiseSVN, how can I help?
How do I get client certificates to work?
Sent to the TortoiseSVN mailing list by Nigel Green, Thanks!
The final workaround that I came up with may well be helpful to others trying to solve the same problem, so I thought it worthwhile to detail my findings below ........
What I was trying to achieve was a single server containing 2 virtual SSL hosts: The first one was for public access, with no requirement for a client certificate. The second one was to be totally secure with a required client certificate, running a Subversion that I could access with TortoiseSVN.
Adding a "SSLVerifyClient Optional" directive to the "per-server" section of the Apache configuration (i.e. OUTSIDE of any "VirtualHost" and "Directory" locks) forces Apache to request a "Client Certificate" in the initial SSL handshake. It appears to be essential for TortoiseSVN that the certificate is requested at this point. TortoiseSVN does not appear to work with Client Certificates if the SSL connection is re-negotiated. [I understand from quotes on the web that this is a bug in mod_ssl which is used by TortoiseSVN.]
However, this left me with a big problem. As the "SSLVerifyClient" directive is server-wide, it seemed that I could not make one virtual host require client certificates, and the other one not. I could not put any other "SSLVerifyClient" directives in the host configuration, as they are overridden by the server-wide directive, and I could not move the "SSLVerifyClient" directive to a "per-directory" level as TortoiseSVN would not cope with the SSL re-negotiation. A different approach was called for. In the end, the solution was quite simple; to add the following directive to the virtual host Directory that I wanted to lock down for Subversion:
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
This directive grants access to the directory only if a client certificate was received and verified successfully. i.e. it was just what I wanted to achieve.
So to summarise, the relevant lines of my new Apache configuration that solve this problem are:
-----------------------------------------------
SSLVerifyClient Optional
### Virtual host configuration for the PUBLIC host (not requiring a certificate)
<VirtualHost 127.0.0.1:443>
<Directory "pathtopublicfileroot">
</Directory>
</VirtualHost>
### Virtual host configuration for SUBVERSION (requiring a client certificate)
<VirtualHost 127.0.0.1:443>
<Directory "subversion host root path">
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
</Directory>
<Location /svn>
DAV svn
SVNParentPath /pathtorepository
</Location>
</VirtualHost>
google search
Open Source
|
|
|