Announcing mod_ssl_user

I have just published release 1.0 of mod_ssl_user, at

http://www.dcl.hpi.uni-potsdam.de/home/loewis/mod_ssl_user.c

This module allows to set the user field in an Apache request object,
if a user has been authenticated through SSL. It is configurable
through a mod_ssl variable name, such as SSL_CLIENT_S_DN_CN.

With that module, Subversion will write proper author information in
commit messages.

Any comments appreciated.

Regards,
Martin


------------------------------------------------------------ ---------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Announcing mod_ssl_user

martin@v.loewis.de (Martin v. Löwis) writes:

> I have just published release 1.0 of mod_ssl_user, at
>=20
> http://www.dcl.hpi.uni-potsdam.de/home/loewis/mod_ssl_user.c
>=20
> This module allows to set the user field in an Apache request object,
> if a user has been authenticated through SSL. It is configurable
> through a mod_ssl variable name, such as SSL_CLIENT_S_DN_CN.
>=20
> With that module, Subversion will write proper author information in
> commit messages.

So this means that Subversion repositories no longer need to require
"Basic Auth" credentials over SSL? They have other options now?


------------------------------------------------------------ ---------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Announcing mod_ssl_user

Ben Collins-Sussman writes:

> So this means that Subversion repositories no longer need to require
> "Basic Auth" credentials over SSL? They have other options now?

It was always the case that you can use SSL client authentication over
mod_dav_svn. For example, our repository had for quite some time

SSLRequire %{SSL_CLIENT_I_DN} eq "/C=DE/L=Potsdam/O=Hasso-Plattner-Institut/OU=OSM/CN=HPI OSM Client Authentication CA" && \
%{SSL_CLIENT_S_DN_CN} in { \
"Martin von Loewis", "Peter Troeger", "Michael Dirska"}

This would allow access to all the listed users (assuming that our CA
always fills out the CN properly, which it does).

So far, even though authentication succeeded properly, Subversion
would log "(no author)", meaning that users would have to provide
Basic auth *on top of that*. This was very unfortunate, since users
were already authenticated...

With that module, no need for transmitting passwords exists anymore;
just authenticating with the SSL certificate is sufficient.

Now, if I could get SVN to use the Windows CryptoAPI certificate
storage, instead of requiring PKCS12 files read by OpenSSL...

Regards,
Martin


------------------------------------------------------------ ---------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org