Return-Path: 
 <dev-return-26601-apmail-subversion-dev-archive=subversion.apache.org@subversion.apache.org>
X-Original-To: apmail-subversion-dev-archive@minotaur.apache.org
Delivered-To: apmail-subversion-dev-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id C6D1A10141
	for <apmail-subversion-dev-archive@minotaur.apache.org>;
 Tue,  4 Jun 2013 11:25:55 +0000 (UTC)
Received: (qmail 61132 invoked by uid 500); 4 Jun 2013 11:25:55 -0000
Delivered-To: apmail-subversion-dev-archive@subversion.apache.org
Received: (qmail 60982 invoked by uid 500); 4 Jun 2013 11:25:55 -0000
Mailing-List: contact dev-help@subversion.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@subversion.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@subversion.apache.org>
List-Post: <mailto:dev@subversion.apache.org>
List-Id: <dev.subversion.apache.org>
Delivered-To: mailing list dev@subversion.apache.org
Received: (qmail 60960 invoked by uid 99); 4 Jun 2013 11:25:54 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Jun 2013 11:25:54 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of ivan@visualsvn.com designates
 209.85.128.52 as permitted sender)
Received: from [209.85.128.52] (HELO mail-qe0-f52.google.com) (209.85.128.52)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Jun 2013 11:25:47 +0000
Received: by mail-qe0-f52.google.com with SMTP id i11so41629qej.39
        for <dev@subversion.apache.org>; Tue, 04 Jun 2013 04:25:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=visualsvn.com; s=google;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-type;
        bh=3RTpK1F5HtYkSG2tNb27XT3a0EKpUOqyb2xlr3kTSOs=;
        b=Mk5qfFR2mx8D0uyrsYccXr+nyszkwOryX4HbQcXAuSVA7NGdkxBaFH/mY01E3sSBWk
         LcBgat50eYEdwOGqfN+HzbLn8S8/GZ1Bu51kByKXtit0VN50Pbx+iRKcxNebm7E0K9iW
         whZavCRZ23REsDw36po5EZMyMZe1WUcHpFRbg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-type:x-gm-message-state;
        bh=3RTpK1F5HtYkSG2tNb27XT3a0EKpUOqyb2xlr3kTSOs=;
        b=c3gDIuJb/1IbfN879dU9g9A6VFc1n1GC/6XFKR6GH5ZjWvXRQU5is8OQU5zLMCJB4L
         M9Se+9JEmwZb134aZef5vbH9dfhYVaw8Z6MEuJ3ohawWy1Hd98t3ICYkfFCNy5ih/wit
         Yf5/1uvJroyBMDY+1wpVqaUtH88zat5O5FGqgPCOvV6LtkryFLoMXfWp45I7Ksy05YrW
         rXAfnIEhDINwhbp0qb4KjqZYfBfR5iFv3ARQpQBFGyRjK2bOAoFQpCuuagthlAeHkom4
         KnGvshy9Q23+B0c13nWCi0YEce0CcKcQQsMLKnnWAigO+RqWZ/eln6FKy+RZnGAy8TMa
         6xoQ==
X-Received: by 10.49.64.225 with SMTP id r1mr26349805qes.52.1370345127165;
 Tue, 04 Jun 2013 04:25:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.90.65 with HTTP; Tue, 4 Jun 2013 04:25:07 -0700 (PDT)
In-Reply-To: 
 <CANvU9sfgZzJ=YpsO+CZWnspNbhcBiTWzy+QR1SRxCdzt+Q9NeQ@mail.gmail.com>
References: 
 <CANvU9scB6F+5BDk71mMjRPt4DKaHaOpzK=nVdTZF--MmC_nbiA@mail.gmail.com>
 <CABw-3YfVV8DW07CveV8v0ZiLeP3E4uQCLxdFhTzH9PACYQ1hhg@mail.gmail.com>
 <CANvU9sfgZzJ=YpsO+CZWnspNbhcBiTWzy+QR1SRxCdzt+Q9NeQ@mail.gmail.com>
From: Ivan Zhakov <ivan@visualsvn.com>
Date: Tue, 4 Jun 2013 15:25:07 +0400
Message-ID: 
 <CABw-3YdceYXDZ2zCJ06_Wke3C3_4wki4tTVQ7Ztpnvk_tRWEqQ@mail.gmail.com>
Subject: Re: Should missing smart card support not be added in the release
 notes?
To: Lieven Govaerts <lgo@apache.org>
Cc: Subversion Development <dev@subversion.apache.org>
Content-Type: text/plain; charset=UTF-8
X-Gm-Message-State: 
 ALoCoQmSQbj4ORGtyEAfEu3KW+4L019B/4nDqWcj4aHUTpovQDywj2iMXDOmzNX9PTEgDBMgfyJU
X-Virus-Checked: Checked by ClamAV on apache.org

On Tue, Jun 4, 2013 at 3:19 PM, Lieven Govaerts <lgo@apache.org> wrote:
> On Tue, Jun 4, 2013 at 12:55 PM, Ivan Zhakov <ivan@visualsvn.com> wrote:
>> On Tue, Jun 4, 2013 at 2:51 PM, Lieven Govaerts <lgo@apache.org> wrote:
>>> Hi,
>>>
>>>
>>> see subject. Serf and ra_serf don't have smart card support at this
>>> moment, unlike neon.
>>>
>>> I'd expected this to be mentioned in the release notes for 1.8.0 as
>>> this is not new information (at least I hope so), but I can't find
>>> anything about it.
>>>
>> Serf doesn't support smart cards for SSL based authentication, but
>> SPNego (Kerberos/NTLM) smart authentication works fine.
>
> Ah, didn't know that. So you use your smart card to log in to Windows
> and/or to the domain, which then enables single sign-on to a
> Kerberos-enabled svn server right?
>
I didn't try Kerberos-enabled server. I tested using Active Directory
domain controller. Windows SSPI automatically uses credentials from
smart card used to logon to Windows.

> In such a scenario, would you make the SSL layer additionally request
> a valid client certificate?
>
This performed using different API. I believe that can be handled
automatically by openssl when CAPI engine is enabled.


-- 
Ivan Zhakov
CTO | VisualSVN | http://www.visualsvn.com