Support for ssl client certificates

[anonymous]

Many projects use SSL client certificates to securely authenticate users to https based svn repositories.

Currently kdesvn has no support for ssl client certificates. When accessing the repository the svn client either asks for the path to the certificate and the password or, if already configured, only for the password.

Since kdesvn does not expect this question it simply hangs whenever one accesses a client-certificate protected repository.

Proper handling of the password and path question should not be hard and would enable kdesvn to also handle these types of repositories.

Someone already thought about that in Changeset 129 when placing a ToDo? item there but it seams to got forgotten.

[alwin]

You're right, I forgot it.

I have no repository with client certs this moment, will see how to setup this.

[alwin]

Hm. Don't understand it. I searched again, kdesvn should ask for it. Do you mean, it doesn't aks for the password? or doesn't ask for the client-cert?

[anonymous]

Sorry for not answering that long.

It seems to neither work for password nor client-cert.

##########
Client-Cert:

---

CLI:
$ svn co https://10.100.0.1/svn
Authentication realm: https://10.100.0.1:443
Client certificate filename: [Waits for input, pressing CTRL-C]
svn: PROPFIND request failed on '/svn'
svn: PROPFIND of '/svn': SSL negotiation failed: SSL error: sslv3 alert handshake failure (https://10.100.0.1)

---

kdesvn (0.13.0):
- Pressing checkout button, entering URL, press OK
- Results in Popup "SVN Error" with following message, also displayed in log-window:
PROPFIND request failed on '/svn/'
PROPFIND of '/svn': SSL negotiation failed: SSL error: sslv3 alert handshake failure (https://10.100.0.1)

##########
Client-Cert:

- now the certificate is configured in /etc/subversion/servers via the ssl-client-cert-file option

---

CLI:
$ svn co https://10.100.0.1/svn
Passphrase for 'path-to-my-cert.p12':

---

kdesvn (0.13.0):
- Pressing checkout button, entering URL, press OK
- kdesvn freezes, has to be killed

[alwin]

Hm.

May you try switch-off saving passwords in kdewallet?

I'll try to learn how to setup a configuration like you use... or is somewhere a good and easy howto for that? (creating certs, where to store what, how to setup a apache for asking for that certs) - its not my favorite job :)

[anonymous]

Request for status update: Is this update under active development? Or is it just waiting for attention?

[alwin]

This moment not, 'cause I can not check or debug it (and a lot other stuff where to do.) And until now I have no scenario like that setup. And I didn't get an answer for my questions.

[gustavo@…]

Replying to alwin:

This moment not, 'cause I can not check or debug it (and a lot other stuff where to do.) And until now I have no scenario like that setup. And I didn't get an answer for my questions.

Hello, alwin.

I have this problem right now. I can give you access to a testing repository in this scenario for you to make your tests.

Please contact me if you're interested.

Thanks.

[kyle@…]

A workaround for those waiting on this bug:

Specify 'ssl-client-cert-file' and optionally 'ssl-client-cert-password' in ~/.subversion/servers, and kdesvn will work as you would normally expect, SSL client cert included.

Also, I'll offer the same as gustavo: if you need access to a repo that requires client certs, I can easily set you up a test one.

[anonymous]

Replying to kyle@averageurl.com:

A workaround for those waiting on this bug: Specify 'ssl-client-cert-file' and optionally 'ssl-client-cert-password' in ~/.subversion/servers, and kdesvn will work as you would normally expect, SSL client cert included. Also, I'll offer the same as gustavo: if you need access to a repo that requires client certs, I can easily set you up a test one.

What must the password filename be?

[kyle@…]

The password parameter is a literal password, it isn't a filename. It is the password, if applicable, to the X509 cert in question.