subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bert Huijben" <b...@qqmail.nl>
Subject RE: SVN client SSL CRL configuration
Date Thu, 10 Apr 2014 10:26:16 GMT


> -----Original Message-----
> From: Ben Reser [mailto:ben@reser.org]
> Sent: woensdag 9 april 2014 21:28
> To: mskala@ansuz.sooke.bc.ca; users@subversion.apache.org
> Subject: Re: SVN client SSL CRL configuration
> 
> On 4/9/14, 8:56 AM, mskala@ansuz.sooke.bc.ca wrote:
> > I'm not subscribed to the list and would appreciate a cc: on any
replies.
> >
> > I run a Subversion server accessible through Apache HTTPS, and several
> > clients that connect to it, all under Linux, and I run my own CA
> > (certificate authority) to issue SSL certificates to all parties.  When
I
> > set it up, I made no provision for issuing and distributing CRLs
> > (certificate revocation lists), not expecting that to ever be a relevant
> > issue.  My server was "heartbleed"-vulnerable and has now been patched
> for
> > that; but it appears that as a result of possible past compromise I have
> > to issue new certificates for all the parties and revoke the old ones.
> >
> > My main question is:  how do I get the Subversion command-line client to
> > read a CRL?  The ssl-authority-files configuration setting lets me
specify
> > my CA's root certificate in a file; is there a similar setting for the
> > CRL?  I would prefer to distribute the CRL as a file (instead of a URL
to
> > be checked automatically); is that possible?  Or is it absolutely
> > necessary to post the CRL online somewhere and specify its URL in the
root
> > certificate (which will require constructing a new root certificate and
a
> > bunch of scripts to periodically re-issue and re-post the file).  If
it's
> > going to necessitate changes to the root certificate and frequent
ongoing
> > maintenance, I might be better off just re-doing the entire public key
> > infrastructure from scratch, annoying as that will be.
> >
> > Note I am specifically asking about the Subversion command-line client
> > running under Linux.  I already know how to configure Apache to read the
> > CRL on the server side.  All I've been able to find online regarding
> > *client-side* Subversion CRL use is Windows-specific.
> 
> The answer unfortunately is that currently we don't support CRLs.
However,
> we
> may have a workaround.  We're investigating currently and will follow up
> with
> more info soon.

On Windows this is not the entire story: If you didn't explicitly accept the
certificate in Subversion (or via a custom openssl config), but
automatically accept it via the Windows Crypto API and its certificate
store, then CRLs are used... 

So you would see Subversion prompt for an untrusted certificate in case the
certificate is revoked.

	Bert


Mime
View raw message