Hi everyone, some of you might notice that you can surf to https://www.opensc-project.org/
but your web browser will give you an error when you go to https://www.opensc-project.org/svn/opensc/ For all projects on opensc-project.org we allow everyone to access the svn repositories write only. But only about 20 developers have write access too. Write access is implemented with x.509 certificates and ssl client authentication. The technical background is close to this: everyone can connect to https port of the web server and not present a client certificate (the server isn't asking for one). but if your https request concerns the svn repositories (/svn/ and below), then the server is configured to ask "do you want to show me a certificate?". and later it looks at the request: read-only requests are always granted, but any write request is only allowed, if a proper client certificate was presented in the ssl communication. The problem is this: the implementation of this uses a feature called "renegotiation" - first server and client build the ssl connection without a client certificate, then the server changes the existing connection to ask the client, if it wants to present one (but only if a certain request was given to the server). for that reason subversion only works if compiled with openssl and not with gnutls - because the gnutls developers didn't implement renegotiation. A security problem with this ssl renegotiation feature was discovered and the problem is in the protocol, so all complete implementations of ssl are affected. the quick fix for many vendors now is this: they disable renegotiation feature, as only few people use it. so if your web browser is up to date, you can no longer surf to /svn/ on our website with https. but you can still do that without ssl encryption. at least for me subversion still works fine, so no need to change anything right now. Regards, Andreas _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
