On 2014-02-21, at 12:58, Bert Huijben wrote: > > >> -----Original Message----- >> From: Thomas Åkesson [mailto:tho...@akesson.cc] >> Sent: vrijdag 21 februari 2014 11:32 >> To: Subversion Development >> Cc: Branko Čibej; Lieven Govaerts >> Subject: Re: Bug in ra_serf with client certificates >> >> >> On 28 jan 2014, at 14:37, Lieven Govaerts <l...@apache.org> wrote: >> >>> On Tue, Jan 28, 2014 at 1:53 PM, Branko Čibej <br...@wandisco.com> >> wrote: >>> >>>> [Tue Jan 28 13:32:47 2014] [info] SSL Library Error: 336105671 >>>> error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not >> return >>>> a certificate No CAs known to server for verification? >>>> >>>> >>>> The bug, as I see it, is that in this case, the command-line client doesn't >>>> ask for different credentials. Shouldn't we be transforming (or wrapping) >>>> SERF_ERROR_AUTHN_FAILED to SVN_ERR_RA_NOT_AUTHORIZED? >>> >>> The command line client doesn't ask for a client certificate, it >>> should be defined correctly in the servers file using: >>> ssl-client-cert-file >>> ssl-client-cert-password >> >> Sorry, I am late to this party. Just got confused by this statement that >> command line client does not ask. >> >> svn info https://secure.example.com >> Autentiseringsregion (realm): https://secure.example.com:443 >> Filnamn för klientcertifikat: >> >> This happened to become Swedish but the last line asks for a filename of >> client cert. This was 1.7.7 that I had on an old test machine. >> >> Attempting this on 1.8 gives an SSL error as this thread has already stated. > > There was a behavior change in 1.8, where the default was changed to *not > ask* until it is enabled in the config. > > See > http://subversion.apache.org/docs/release-notes/1.8.html#client-cert-prompt-suppression > > I think the reasoning was that there are servers that allow a client > certificate, but don't require one. In case you would have to use such a > server but don't have a certificate you would get the question over and over > again.
Ok, that clarifies Lieven's statement. It applies "since 1.8". I don't care whether the client prompts for filename or not, but I find it important to provide a good error message (preferably with recommended action) and APIs that help Tortoise et al. Also like, Markus' idea about recording (no-)need for certificate in auth cache. Cheers, Thomas Å.
