[cvsnt] Re: sserver

Tony Hoyle tmh at nodomain.org
Thu Jul 8 22:44:04 BST 2004


David Somers wrote:

> Observation: if the cvsnt server is configured for encryption to be
> required, I'm seeing that I can login successullly using the pserver access
> method, but when I try to do anything I get the 'This server requires an
> encrypted connection' error.  Wouldn't it make more sense to return this
> error at the login stage rather than later on...

Login doesn't actually use any of the protocol, just the authentication, 
so encryption doesn't always kick in in time (depending on the protocol 
and/or client it may well encrypt the login, but the requirement for 
encryption doesn't kick in until after the root request has arrived, 
since older clients didn't encrypt until then).  You only login once 
though so it doesn't matter in the general case.

> Question: When connecting to a server and authenticating the certificate, is
> it possible to somehow at the client end see some details of the server's
> certificate? I'm thinking I'd somehow be able to do something like issue a
> command like "cvs whoisthesever" and be given a dump of some of the elements
> in the cert (such as the CN, and who the CA is - or perhaps this should
> happen if specifying the -t option?).

Can you put that as a feature request on the bug tracker?  It sounds 
like an interesting idea.

> Question: is it possible to do mutual authentication using sserver/sspi?

Can you elaborate?

> Enhancement: It would be quite handy is cvsnt would check for CA
> certificates not only in the ca.pem file, but also in the Windows
> certificate store.

Can't really be done as OpenSSL doesn't interface with the Windows 
security layers.  It'd need a complete rewrite of sserver which would of 
course then be incompatible with the Unix version.  Of course there's 
nothing to stop you putting your custom CA in ca.pem if you have one - 
you just need it in PEM format which most CAs should export to.

> Enhancement: I would like to be able to set up my cvsnt server so that the
> encryption/compression settings could be done on a per repository basis,
> instead of a global basis. This would therefore allow anonymous access (over
> pserver) to some of the repositories whilst the others could be
> appropriately secured (using sspi or sserver).

The problem with that is that it happens too late.  Newer (2.0.x+) 
clients will encrypt as early as they can - this is before the root is 
known to check such settings.  If you encrypt later you lose an amount 
of security eg. encrypting the negotiation/root requests.  This may be 
acceptable depending on your setup.

There's an argument for making much of the server setup repository 
specific but that's quite a lot of work...  if you want to add it as a 
feature request too I'll put it in the list of things to look at... I'm 
currently deciding priorities for future CVSNT development so the more 
requests the better :)

Tony



More information about the cvsnt mailing list