Uploaded image for project: 'Subversion'
  1. Subversion
  2. SVN-2410

Allow client to avoid SSL certificate prompts

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: ---
    • Fix Version/s: 1.8.0
    • Component/s: libsvn_ra_serf
    • Labels:

      Description

      Patch by David Reid <david_at_jetnet.co.uk>.  This patch allows an
      "ssl-client-certs" option in the client config file, to specify whether SSL
      certificates can be used for authentication.  If set to "no", this stops
      Subversion from asking repeatedly for a certificate if the server implies that
      client certificates are an acceptable form of authentication.  The default is
      "yes", so applying this patch does not change the behavior of Subversion unless
      the user chooses.
      
      There were no responses to this patch on the dev list.
      
      The original patch is archived here:
      http://svn.haxx.se/dev/archive-2005-09/0341.shtml
      

      http://svn.haxx.se/dev/archive-2005-09/0341.shtml

      Original issue reported by mthelen

      1. 1_2410-v2-patch.txt
        12 kB
        Karl Fogel
      2. 2_2410-v4-patch.txt
        7 kB
        Karl Fogel

        Activity

        Hide
        ehuelsmann Erik Huelsmann added a comment -

        Remove [PATCH] summary prefix, since the type already is PATCH.
        

        Show
        ehuelsmann Erik Huelsmann added a comment - Remove [PATCH] summary prefix, since the type already is PATCH.
        Hide
        maxb Max Bowsher added a comment -

        Bulk reassign all 42 currently open, non-2.0, PATCH issues to target milestone
        "1.5-consider".
        

        Show
        maxb Max Bowsher added a comment - Bulk reassign all 42 currently open, non-2.0, PATCH issues to target milestone "1.5-consider".
        Hide
        subversion-importer Subversion Importer added a comment -

        We try to use ant scripts to check out source in an svn repository. The server 
        certificate validating error always breaks the automatic process. We need an 
        option to turn off this SSL certificate validation.
        Thanks
        
        

        Original comment by jialu

        Show
        subversion-importer Subversion Importer added a comment - We try to use ant scripts to check out source in an svn repository. The server certificate validating error always breaks the automatic process. We need an option to turn off this SSL certificate validation. Thanks Original comment by jialu
        Hide
        subversion-importer Subversion Importer added a comment -

        We try to use ant scripts to check out source in an svn repository. The server 
        certificate validating error always breaks the automatic process. We need an 
        option to turn off this SSL certificate validation.
        Thanks
        
        

        Original comment by jialu

        Show
        subversion-importer Subversion Importer added a comment - We try to use ant scripts to check out source in an svn repository. The server certificate validating error always breaks the automatic process. We need an option to turn off this SSL certificate validation. Thanks Original comment by jialu
        Hide
        subversion-importer Subversion Importer added a comment -

        We try to use ant scripts to check out source in an svn repository. The server 
        certificate validating error always breaks the automatic process. We need an 
        option to turn off this SSL certificate validation.
        Thanks
        
        

        Original comment by jialu

        Show
        subversion-importer Subversion Importer added a comment - We try to use ant scripts to check out source in an svn repository. The server certificate validating error always breaks the automatic process. We need an option to turn off this SSL certificate validation. Thanks Original comment by jialu
        Hide
        kfogel Karl Fogel added a comment -

        (Why same comment three times?)
        
        See also issue #2597 ("--tolerant-ssl option to silently accept expired or
        untrusted certificates").
        

        Show
        kfogel Karl Fogel added a comment - (Why same comment three times?) See also issue #2597 ("--tolerant-ssl option to silently accept expired or untrusted certificates").
        Hide
        kfogel Karl Fogel added a comment -

        Evaluating.
        

        Show
        kfogel Karl Fogel added a comment - Evaluating.
        Hide
        kfogel Karl Fogel added a comment -

        Whew, I had to basically rewrite the patch, since so much has changed since
        2005.  Attaching now as 2410-v2-patch.txt.
        

        Show
        kfogel Karl Fogel added a comment - Whew, I had to basically rewrite the patch, since so much has changed since 2005. Attaching now as 2410-v2-patch.txt.
        Hide
        kfogel Karl Fogel added a comment -

        Created an attachment (id=898)
        Reworked patch + log message, based on David Reid's original, and adding ra_serf support.
        
        

        Show
        kfogel Karl Fogel added a comment - Created an attachment (id=898) Reworked patch + log message, based on David Reid's original, and adding ra_serf support.
        Hide
        kfogel Karl Fogel added a comment -

        Attachment 1_2410-v2-patch.txt has been added with description: Reworked patch + log message, based on David Reid's original, and adding ra_serf support.

        Show
        kfogel Karl Fogel added a comment - Attachment 1_2410-v2-patch.txt has been added with description: Reworked patch + log message, based on David Reid's original, and adding ra_serf support.
        Hide
        kfogel Karl Fogel added a comment -

        See the thread starting here for discussion of that patch...
        
           http://subversion.tigris.org/servlets/ReadMsg?list=dev&msgNo=140532
           From: Karl Fogel <kfogel@red-bean.com>
           To: dev@subversion.tigris.org
           Subject: Review requested on issue #2410 (SSL client certs option)
           Date: Thu, 26 Jun 2008 12:27:32 -0400
           Message-ID: <8763rwxitn.fsf@red-bean.com>
        
        ...but partway through the thread, Joe Orton suggested an entirely different
        solution:
        
           http://subversion.tigris.org/servlets/ReadMsg?list=dev&msgNo=140549
           From: Joe Orton <jorton@redhat.com>
           To: Karl Fogel <kfogel@red-bean.com>
           Cc: dev@subversion.tigris.org
           Subject: Re: Review requested on issue #2410 (SSL client certs option)
           Date: Fri, 27 Jun 2008 16:26:49 +0100
           Message-ID: <20080627152649.GA12927@redhat.com>
        
        

        Show
        kfogel Karl Fogel added a comment - See the thread starting here for discussion of that patch... http://subversion.tigris.org/servlets/ReadMsg?list=dev&msgNo=140532 From: Karl Fogel <kfogel@red-bean.com> To: dev@subversion.tigris.org Subject: Review requested on issue #2410 (SSL client certs option) Date: Thu, 26 Jun 2008 12:27:32 -0400 Message-ID: <8763rwxitn.fsf@red-bean.com> ...but partway through the thread, Joe Orton suggested an entirely different solution: http://subversion.tigris.org/servlets/ReadMsg?list=dev&msgNo=140549 From: Joe Orton <jorton@redhat.com> To: Karl Fogel <kfogel@red-bean.com> Cc: dev@subversion.tigris.org Subject: Re: Review requested on issue #2410 (SSL client certs option) Date: Fri, 27 Jun 2008 16:26:49 +0100 Message-ID: <20080627152649.GA12927@redhat.com>
        Hide
        kfogel Karl Fogel added a comment -

        See also the semi-related issue #2489 ("Cache ssl client certificate passphrases").
        

        Show
        kfogel Karl Fogel added a comment - See also the semi-related issue #2489 ("Cache ssl client certificate passphrases").
        Hide
        hwright Hyrum Wright added a comment -

        Moving to 1.6-consider as part of the post-1.5 issue sweep.
        

        Show
        hwright Hyrum Wright added a comment - Moving to 1.6-consider as part of the post-1.5 issue sweep.
        Hide
        kfogel Karl Fogel added a comment -

        Attachment 2_2410-v4-patch.txt has been added with description: Updated for r33106 of trunk, but note that one change is planned before committing (see log msg in patch for more).

        Show
        kfogel Karl Fogel added a comment - Attachment 2_2410-v4-patch.txt has been added with description: Updated for r33106 of trunk, but note that one change is planned before committing (see log msg in patch for more).
        Hide
        kfogel Karl Fogel added a comment -

        Created an attachment (id=940)
        Updated for r33106 of trunk, but note that one change is planned before committing (see log msg in patch for more).
        
        

        Show
        kfogel Karl Fogel added a comment - Created an attachment (id=940) Updated for r33106 of trunk, but note that one change is planned before committing (see log msg in patch for more).
        Hide
        hwright Hyrum Wright added a comment -

        Post-1.6 issue sweep.  Since 1.7 is already shaping up to be a large release,
        move to 1.8-consider.
        

        Show
        hwright Hyrum Wright added a comment - Post-1.6 issue sweep. Since 1.7 is already shaping up to be a large release, move to 1.8-consider.
        Hide
        cmpilato C. Michael Pilato added a comment -

        Fix issue type.  We're discontinuing the use of PATCH.
        

        Show
        cmpilato C. Michael Pilato added a comment - Fix issue type. We're discontinuing the use of PATCH.
        Hide
        rhuijben Bert Huijben added a comment -

        Not a fix for this specific issue, but passing --non-interactive to svn 
        disables all prompts. So that might be a valid workaround.
        

        Show
        rhuijben Bert Huijben added a comment - Not a fix for this specific issue, but passing --non-interactive to svn disables all prompts. So that might be a valid workaround.
        Hide
        rhuijben Bert Huijben added a comment -

        And --config-option (new in 1.6) might even allow passing an explicit 
        certificate for the specific invocation.
        

        Show
        rhuijben Bert Huijben added a comment - And --config-option (new in 1.6) might even allow passing an explicit certificate for the specific invocation.
        Hide
        cmpilato C. Michael Pilato added a comment -

        Tweaked, finished, and committed kfogel's patch:
           Sending        subversion/include/svn_config.h
           Sending        subversion/libsvn_subr/cmdline.c
           Sending        subversion/libsvn_subr/config_file.c
           Transmitting file data ...
           Committed revision 1382028.
        
        By default, Subversion will now *not* prompt for client-cert paths.  Users can
        restore the prompting behavior by setting ssl-client-cert-file-prompt=yes in the
        [auth] section of their ~/.subversion/config file (or equivalent), so long as
        the client isn't in --non-interactive mode, of course.
        

        Show
        cmpilato C. Michael Pilato added a comment - Tweaked, finished, and committed kfogel's patch: Sending subversion/include/svn_config.h Sending subversion/libsvn_subr/cmdline.c Sending subversion/libsvn_subr/config_file.c Transmitting file data ... Committed revision 1382028. By default, Subversion will now *not* prompt for client-cert paths. Users can restore the prompting behavior by setting ssl-client-cert-file-prompt=yes in the [auth] section of their ~/.subversion/config file (or equivalent), so long as the client isn't in --non-interactive mode, of course.

          People

          • Assignee:
            cmpilato C. Michael Pilato
            Reporter:
            subversion-importer Subversion Importer
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development