This last few days I’ve been working on integrating using client certs with httpd’s auth scheme and mod_authz_svn. After a lot of to & fro it now works as I’d like, with one large exception!
The issue is that the ASF has an existing set of svn users, all of whom currently use a password to gain access. While making the transition to using certs we need to still allow this form of access, which means the auth has to be able to cope with both. Additionally the group memberships should still work with the existing config until we have the group memberships all recorded in the users certificates (likely to take a while I suspect). After some work this is all possible.
The problem is the svn command line app! As soon as it sees that client certs are accepted, it starts prompting for a filename to use. Hitting enter isn’t enough to tell it that you don’t have one. It will carry on asking through it’s entire 3 tries before moving on. During a checkout there are at least 3 times connections made, so you get asked 9 times for a non-existant certificate! This is truly annoying and not acceptable to expect every user to endure simply to allow us the luxury of using certificates. We simply can’t start any form of transition until we have a solution.
Quasi suggested setting the ssl-client-cert-file setting (in ~/.subversion/servers) to /dev/null, but having tried that it doesn’t work and I still get asked for a filename. Reading through the SVN book there is no mention of a “don’t use certificates” setting that could be used and is what we really need.
To have come so far down this road and with the end in sight it’s frustrating to find that such a simple thing is preventing us moving forward 🙁
Update: I’ve just spent a while crafting a small patch for svn that allows the user to add a configuration option to NOT use client certificates. This can be applied globally or in a server block so is quite flexible and removes the needless prompting. It’s been submitted to the svn team 🙂
The patch is available here