Return-Path: X-Original-To: apmail-subversion-users-archive@minotaur.apache.org Delivered-To: apmail-subversion-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id AC0F51079B for ; Thu, 10 Apr 2014 10:26:52 +0000 (UTC) Received: (qmail 44864 invoked by uid 500); 10 Apr 2014 10:26:52 -0000 Delivered-To: apmail-subversion-users-archive@subversion.apache.org Received: (qmail 44839 invoked by uid 500); 10 Apr 2014 10:26:50 -0000 Mailing-List: contact users-help@subversion.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@subversion.apache.org Received: (qmail 44825 invoked by uid 99); 10 Apr 2014 10:26:48 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Apr 2014 10:26:48 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of bert@qqmail.nl designates 74.125.83.42 as permitted sender) Received: from [74.125.83.42] (HELO mail-ee0-f42.google.com) (74.125.83.42) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Apr 2014 10:26:44 +0000 Received: by mail-ee0-f42.google.com with SMTP id d17so2835948eek.15 for ; Thu, 10 Apr 2014 03:26:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qqmail.nl; s=google; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-type:content-transfer-encoding:thread-index :content-language; bh=YthgroyCbz17fN7fCEJrUbp5ctFu1t4bWIt5ftEUXLw=; b=BCWmgCu/SsCrYa8kjsQtBUAtyAzMM/A2EwlGs4Mtmb6R5NtS6ry2hvSKU95YX/ZC0C NG4GGQgEeQnKYH5SlZC6e8NCmBaqoYHlcqkTFrJ4ST1fY5OS+ZF5XvD7Luc7vrOQZxhK RaRHV3s9H5RU5roqxcGUEc9yYqeIjA9+8THSg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :thread-index:content-language; bh=YthgroyCbz17fN7fCEJrUbp5ctFu1t4bWIt5ftEUXLw=; b=k3UhymxvF12iQ3Bips+l+DrkXO8mBypGFzL2lMtsaSYl+XKMr0fRDfhMpij7Ue3I6i pc8stQnEyACS6P89QbqYg/jRi6l8onC3faUNUKaXCx2BIZePaedGtB7VGgwLjEdzKAnF Co8BC8NqMfX2Dkxjo3ZTqdw9SYDrmLvzDuxVMyHRSLbqQgdVyPWYcCpfWFXQUAcpiaTi Hc4z1xu1HbjUNCyiWiGNnsd1CUNp0rpXv6to+7x2JM2cZ1QtTyM41oel9oBO4svCyYfo boKHIvajwBVV4rCzRpDXhgRnZ7Ley2/RWKOQV//rPY6JFOaoVxm1QSPVKAp3Ntb8MCTC /sGw== X-Gm-Message-State: ALoCoQnjT4IxxoKBEc+Lz3CCE9WDW+vGki+P9akmlEyWWI7SINGxN6+/qDWW6Mcumq6xOslZHEB1 X-Received: by 10.14.115.195 with SMTP id e43mr1940622eeh.76.1397125582403; Thu, 10 Apr 2014 03:26:22 -0700 (PDT) Received: from i72600 ([2001:610:66e:0:a1fe:7b28:1850:b511]) by mx.google.com with ESMTPSA id x45sm8893966eef.15.2014.04.10.03.26.20 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 10 Apr 2014 03:26:21 -0700 (PDT) From: "Bert Huijben" To: "'Ben Reser'" , , References: <53459F58.6020602@reser.org> In-Reply-To: <53459F58.6020602@reser.org> Subject: RE: SVN client SSL CRL configuration Date: Thu, 10 Apr 2014 12:26:16 +0200 Message-ID: <035201cf54a7$4ef51570$ecdf4050$@qqmail.nl> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 15.0 Thread-Index: AQDxbgfVMwixiZ/kVl5QqSYfGA3gSAHl4AgUnLdChJA= Content-Language: nl X-Virus-Checked: Checked by ClamAV on apache.org > -----Original Message----- > From: Ben Reser [mailto:ben@reser.org] > Sent: woensdag 9 april 2014 21:28 > To: mskala@ansuz.sooke.bc.ca; users@subversion.apache.org > Subject: Re: SVN client SSL CRL configuration > > On 4/9/14, 8:56 AM, mskala@ansuz.sooke.bc.ca wrote: > > I'm not subscribed to the list and would appreciate a cc: on any replies. > > > > I run a Subversion server accessible through Apache HTTPS, and several > > clients that connect to it, all under Linux, and I run my own CA > > (certificate authority) to issue SSL certificates to all parties. When I > > set it up, I made no provision for issuing and distributing CRLs > > (certificate revocation lists), not expecting that to ever be a relevant > > issue. My server was "heartbleed"-vulnerable and has now been patched > for > > that; but it appears that as a result of possible past compromise I have > > to issue new certificates for all the parties and revoke the old ones. > > > > My main question is: how do I get the Subversion command-line client to > > read a CRL? The ssl-authority-files configuration setting lets me specify > > my CA's root certificate in a file; is there a similar setting for the > > CRL? I would prefer to distribute the CRL as a file (instead of a URL to > > be checked automatically); is that possible? Or is it absolutely > > necessary to post the CRL online somewhere and specify its URL in the root > > certificate (which will require constructing a new root certificate and a > > bunch of scripts to periodically re-issue and re-post the file). If it's > > going to necessitate changes to the root certificate and frequent ongoing > > maintenance, I might be better off just re-doing the entire public key > > infrastructure from scratch, annoying as that will be. > > > > Note I am specifically asking about the Subversion command-line client > > running under Linux. I already know how to configure Apache to read the > > CRL on the server side. All I've been able to find online regarding > > *client-side* Subversion CRL use is Windows-specific. > > The answer unfortunately is that currently we don't support CRLs. However, > we > may have a workaround. We're investigating currently and will follow up > with > more info soon. On Windows this is not the entire story: If you didn't explicitly accept the certificate in Subversion (or via a custom openssl config), but automatically accept it via the Windows Crypto API and its certificate store, then CRLs are used... So you would see Subversion prompt for an untrusted certificate in case the certificate is revoked. Bert