[cvsnt] Re: sserver
David Somers
dsomers at trevezel.com
Thu Jul 8 23:54:26 BST 2004
> Login doesn't actually use any of the protocol, just the authentication,
> so encryption doesn't always kick in in time (depending on the protocol
> and/or client it may well encrypt the login, but the requirement for
> encryption doesn't kick in until after the root request has arrived,
> since older clients didn't encrypt until then). You only login once
> though so it doesn't matter in the general case.
True. But from a user experience perspective, it seems weird: I can login,
but then all my commands are rejected?
> > Question: When connecting to a server and authenticating the
> certificate, is
> > it possible to somehow at the client end see some details of
> the server's
> > certificate? I'm thinking I'd somehow be able to do something
> like issue a
> > command like "cvs whoisthesever" and be given a dump of some of
> the elements
> > in the cert (such as the CN, and who the CA is - or perhaps this should
> > happen if specifying the -t option?).
>
> Can you put that as a feature request on the bug tracker? It sounds
> like an interesting idea.
Done. ID=54. (BTW, its my first time using the bug tracker, so apologies in
advance if I got it wrong.)
> > Question: is it possible to do mutual authentication using sserver/sspi?
>
> Can you elaborate?
IIRC, SSL is usually only used by the client to authenticate that the server
is genuine... but it can also be used to also authenticate the client to the
server (so both parties know each other are genuine). Scan through the
OpenSSL docs for SSL_VERIFY_PEER.
> > Enhancement: It would be quite handy is cvsnt would check for CA
> > certificates not only in the ca.pem file, but also in the Windows
> > certificate store.
>
> Can't really be done as OpenSSL doesn't interface with the Windows
> security layers. It'd need a complete rewrite of sserver which would of
> course then be incompatible with the Unix version. Of course there's
> nothing to stop you putting your custom CA in ca.pem if you have one -
> you just need it in PEM format which most CAs should export to.
Wouldn't it 'just' involve modifying the OpenSSL code so that when running
on Windows it checks the ca.pem file and then also the certificate store. If
I get some time I'll scan through the source to see what could be done.
> There's an argument for making much of the server setup repository
> specific but that's quite a lot of work... if you want to add it as a
> feature request too I'll put it in the list of things to look at...
Done. ID=56
> I'm
> currently deciding priorities for future CVSNT development so the more
> requests the better :)
:)
Cheers,
David
More information about the cvsnt
mailing list