Return-Path: X-Original-To: apmail-subversion-users-archive@minotaur.apache.org Delivered-To: apmail-subversion-users-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CAC0618A39 for ; Wed, 19 Aug 2015 20:07:01 +0000 (UTC) Received: (qmail 63933 invoked by uid 500); 19 Aug 2015 20:07:01 -0000 Delivered-To: apmail-subversion-users-archive@subversion.apache.org Received: (qmail 63901 invoked by uid 500); 19 Aug 2015 20:07:01 -0000 Mailing-List: contact users-help@subversion.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@subversion.apache.org Received: (qmail 63891 invoked by uid 99); 19 Aug 2015 20:07:01 -0000 Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Aug 2015 20:07:01 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 9F072C0861 for ; Wed, 19 Aug 2015 20:07:00 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.121 X-Spam-Level: X-Spam-Status: No, score=-0.121 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=qqmail.nl Received: from mx1-us-west.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id 9ctSYPTndEQM for ; Wed, 19 Aug 2015 20:06:58 +0000 (UTC) Received: from mail-wi0-f174.google.com (mail-wi0-f174.google.com [209.85.212.174]) by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with ESMTPS id 85D3B20628 for ; Wed, 19 Aug 2015 20:06:58 +0000 (UTC) Received: by wicne3 with SMTP id ne3so135995734wic.1 for ; Wed, 19 Aug 2015 13:06:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qqmail.nl; s=google; h=from:to:references:in-reply-to:subject:date:message-id:mime-version :content-type:content-transfer-encoding:thread-index :content-language; bh=eHJXWHsAiQkV9v+PhqNp1rY5CB5kcXlTEqajAoTTkEk=; b=LgDJM/dR0lrZ9mB3NpHu9pqV9ysI4CwciV9mNMhsX4/uBqrzDRFMdaVUEl+ZCvWNYP jDAe+Y0lWHoDGgBzG376gQThIovfGwau0QfAfxIdGbjEpvr0kei3dOv/U8fkqpFfP+8q vkN0nYix92vROsRhDXJBZk8WxyPNeoTgP0GUs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :thread-index:content-language; bh=eHJXWHsAiQkV9v+PhqNp1rY5CB5kcXlTEqajAoTTkEk=; b=CWmmliPuksZutN403RS9ZITlJQvv+nxPDvsLG3gL3q7giXOsDqCWeMEu/5ABDKVssL LXmaPG4s1EgNPLp1ybt7dWMqJCq3jOC6U2Wyh2N97CUvdviBdvGxGgwcUeN+1l2h9LYl vpumL2TA7SWI74C3ghIazPzL9n1ytgAJRTH7sQQ7UsIwECAFxFoXL1MLNhcuj1u5hE1h S6F/igUbikUrUKI+HhbBerKHTSB5uTq5x5407SApsagtmNsFu4YNWnqF7IpAzrqKoL6/ yLUneSw9eljTFxt/O2KcfyHSZUrmh/Nsn9XFndQwEGvcCLMjnIOpgEHEvMGxmBdpQ2e2 UI0A== X-Gm-Message-State: ALoCoQn2Gvh9jdRYQV9d5vJRjnx0UrdaQA7Bq3DRC1HU3v3zh/AaMlOmRF7E4AFzG303vYE8ceOr X-Received: by 10.194.110.132 with SMTP id ia4mr27141659wjb.103.1440014817070; Wed, 19 Aug 2015 13:06:57 -0700 (PDT) Received: from i72600 ([2001:610:66e:0:52e5:49ff:fee1:96b7]) by smtp.gmail.com with ESMTPSA id gj6sm27432332wib.22.2015.08.19.13.06.56 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 19 Aug 2015 13:06:56 -0700 (PDT) From: "Bert Huijben" To: =?UTF-8?Q?'Thorsten_Sch=C3=B6ning'?= , References: <837120456.20150819215024@am-soft.de> In-Reply-To: <837120456.20150819215024@am-soft.de> Subject: RE: Is it safe to redirect from HTTP to HTTPS in case of svn:externals? Date: Wed, 19 Aug 2015 22:06:47 +0200 Message-ID: <015401d0daba$94f96950$beec3bf0$@qqmail.nl> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 15.0 Thread-Index: AQIf8Hw22F0FbRj6uiRddRE+cuhdT511k0/Q Content-Language: nl > -----Original Message----- > From: Thorsten Sch=C3=B6ning [mailto:tschoening@am-soft.de] > Sent: woensdag 19 augustus 2015 21:50 > To: users@subversion.apache.org > Subject: Is it safe to redirect from HTTP to HTTPS in case of = svn:externals? >=20 > Hi, >=20 > I'm implementing publicly accessible mod_davn_svn in addition to some > internally used svnserve. Some of my repos use svn:externals where we > used to defined "//internal.example.org/...", my publicly available > entry point is "https://external.example.org". For the public > "internal.example.org" is resolved as "external.example.org", so > checking out a repo from HTTPS with svn:externals used would result in > a request to "https://internal.example.org" and produce certificate > verification failures in the client because of mismatching domain > names and such. >=20 > So I thought of simply changing the svn:externals definition to > "http://internal.example.org" which I can then redirect to > "https://external.example.org" on my public server. In my tests that > seemed to work properly and the important part is that the locally > created working copy for svn:externals only contained HTTPS-URLs. >=20 > So am I correct that my approach is safe regarding that no user > passwords or such are going unencrypted over the wire if only the > first request doesn't contain such passwords and will always only be > the redirect? Any other problems which I might overlook currently? The key Subversion uses to store passwords is different between http and = https, so a password used for https won't be used for http. There are other options to specify your externals; see 'svn help = propset' [[ The URL may be a full URL or a relative URL starting with one of: ../ to the parent directory of the extracted external ^/ to the repository root / to the server root // to the URL scheme ^/../ to a sibling repository beneath the same SVNParentPath = location ]] Bert