From users-return-21227-apmail-subversion-users-archive=subversion.apache.org@subversion.apache.org Wed Apr 9 15:19:54 2014 Return-Path: X-Original-To: apmail-subversion-users-archive@minotaur.apache.org Delivered-To: apmail-subversion-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E3EC610FF5 for ; Wed, 9 Apr 2014 15:19:53 +0000 (UTC) Received: (qmail 53079 invoked by uid 500); 9 Apr 2014 15:16:10 -0000 Delivered-To: apmail-subversion-users-archive@subversion.apache.org Received: (qmail 49889 invoked by uid 500); 9 Apr 2014 15:13:11 -0000 Mailing-List: contact users-help@subversion.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@subversion.apache.org Delivered-To: moderator for users@subversion.apache.org Received: (qmail 11724 invoked by uid 99); 9 Apr 2014 14:56:54 -0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Date: Wed, 9 Apr 2014 09:56:26 -0500 (CDT) From: mskala@ansuz.sooke.bc.ca X-X-Sender: mskala@localhost.localdomain To: users@subversion.apache.org Subject: SVN client SSL CRL configuration Message-ID: User-Agent: Alpine 2.02 (LNX 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Scanned-By: MIMEDefang 2.73 X-Virus-Checked: Checked by ClamAV on apache.org I'm not subscribed to the list and would appreciate a cc: on any replies. I run a Subversion server accessible through Apache HTTPS, and several clients that connect to it, all under Linux, and I run my own CA (certificate authority) to issue SSL certificates to all parties. When I set it up, I made no provision for issuing and distributing CRLs (certificate revocation lists), not expecting that to ever be a relevant issue. My server was "heartbleed"-vulnerable and has now been patched for that; but it appears that as a result of possible past compromise I have to issue new certificates for all the parties and revoke the old ones. My main question is: how do I get the Subversion command-line client to read a CRL? The ssl-authority-files configuration setting lets me specify my CA's root certificate in a file; is there a similar setting for the CRL? I would prefer to distribute the CRL as a file (instead of a URL to be checked automatically); is that possible? Or is it absolutely necessary to post the CRL online somewhere and specify its URL in the root certificate (which will require constructing a new root certificate and a bunch of scripts to periodically re-issue and re-post the file). If it's going to necessitate changes to the root certificate and frequent ongoing maintenance, I might be better off just re-doing the entire public key infrastructure from scratch, annoying as that will be. Note I am specifically asking about the Subversion command-line client running under Linux. I already know how to configure Apache to read the CRL on the server side. All I've been able to find online regarding *client-side* Subversion CRL use is Windows-specific. -- Matthew Skala mskala@ansuz.sooke.bc.ca People before principles. http://ansuz.sooke.bc.ca/