subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Reser <>
Subject Re: SVN client SSL CRL configuration
Date Wed, 09 Apr 2014 19:28:24 GMT
On 4/9/14, 8:56 AM, wrote:
> I'm not subscribed to the list and would appreciate a cc: on any replies.
> I run a Subversion server accessible through Apache HTTPS, and several
> clients that connect to it, all under Linux, and I run my own CA
> (certificate authority) to issue SSL certificates to all parties.  When I
> set it up, I made no provision for issuing and distributing CRLs
> (certificate revocation lists), not expecting that to ever be a relevant
> issue.  My server was "heartbleed"-vulnerable and has now been patched for
> that; but it appears that as a result of possible past compromise I have
> to issue new certificates for all the parties and revoke the old ones.
> My main question is:  how do I get the Subversion command-line client to
> read a CRL?  The ssl-authority-files configuration setting lets me specify
> my CA's root certificate in a file; is there a similar setting for the
> CRL?  I would prefer to distribute the CRL as a file (instead of a URL to
> be checked automatically); is that possible?  Or is it absolutely
> necessary to post the CRL online somewhere and specify its URL in the root
> certificate (which will require constructing a new root certificate and a
> bunch of scripts to periodically re-issue and re-post the file).  If it's
> going to necessitate changes to the root certificate and frequent ongoing
> maintenance, I might be better off just re-doing the entire public key
> infrastructure from scratch, annoying as that will be.
> Note I am specifically asking about the Subversion command-line client
> running under Linux.  I already know how to configure Apache to read the
> CRL on the server side.  All I've been able to find online regarding
> *client-side* Subversion CRL use is Windows-specific.

The answer unfortunately is that currently we don't support CRLs.  However, we
may have a workaround.  We're investigating currently and will follow up with
more info soon.

View raw message