On Tue, Jun 4, 2013 at 1:25 PM, Ivan Zhakov <i...@visualsvn.com> wrote: > On Tue, Jun 4, 2013 at 3:19 PM, Lieven Govaerts <l...@apache.org> wrote: >> On Tue, Jun 4, 2013 at 12:55 PM, Ivan Zhakov <i...@visualsvn.com> wrote: >>> On Tue, Jun 4, 2013 at 2:51 PM, Lieven Govaerts <l...@apache.org> wrote: >>>> Hi, >>>> >>>> >>>> see subject. Serf and ra_serf don't have smart card support at this >>>> moment, unlike neon. >>>> >>>> I'd expected this to be mentioned in the release notes for 1.8.0 as >>>> this is not new information (at least I hope so), but I can't find >>>> anything about it. >>>> >>> Serf doesn't support smart cards for SSL based authentication, but >>> SPNego (Kerberos/NTLM) smart authentication works fine. >> >> Ah, didn't know that. So you use your smart card to log in to Windows >> and/or to the domain, which then enables single sign-on to a >> Kerberos-enabled svn server right? >> > I didn't try Kerberos-enabled server. I tested using Active Directory > domain controller. Windows SSPI automatically uses credentials from > smart card used to logon to Windows. > >> In such a scenario, would you make the SSL layer additionally request >> a valid client certificate? >> > This performed using different API. I believe that can be handled > automatically by openssl when CAPI engine is enabled. >
You are referring to a configuration where OpenSSL uses MS's CryptoAPI to use the Windows certificate store. Never used it myself, but I see that TSVN has implemented this, with an extra dialog to select a client certificate if multiple were found. I see no reason why that won't work with serf, we probably would have heard about it if not. So for Windows there's no problem, only for Mac & Linux we don't have a smart card solution in 1.8.0 at this time. Lieven
