On 14. 6. 25 17:58, Graham Leggett via dev wrote:
Hi all,
I am having a torrid time trying to get the svn client to work on Windows. In short,
every attempt to connect results in "An error occurred during SSL
communication".
One archeological dig later, it appears that when neon was replaced with serf,
we lost the ability to debug network connections.
By the way, neon was replaced because it didn't support HTTP pipelining,
so latency not so good.
-> d...@serf.apache.org is the better place to discuss this. Serf has
some logging infrastructure, I don't know offhand if Subversion enables
it. It's broken on the 1.4 branch (which is not and was never released)
and doesn't exist in 1.3 , but should work on trunk.
At the same time, we lost the ability to support PKCS11 on Windows.
That's not the case. It's clunky but it's possible.
https://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.ssl.client
Right now, with no error messages, the chances of successfully configuring an
svn client via serf and openssl to connect securely through native Windows
functionality is zero.
Not through Windows or macOS native APIs, but sure, using OpenSSL.
With the end goal of full support for Windows and MacOS security functionality
(MFA, etc), what is the correct level to fix this at?
-> dev@serf, again. There's some work going on right now to add
infrastructure for MFA, but it's just that -- no-one is implementing
multi-factor authentication, as far as I'm aware.
Should there be an ra_winhttp (for Windows) and ra_cfnetwork (for MacOS)?
No. Subversion isn't going to muck around with crypto and HTTP(S) by
itself. Serf is intended to be the abstraction for that. There are two
options:
1. teach Subversion to use the Windows cert store/macOS Keychain to
store client certificates (it already uses the latter for passwords
and certificate passphrases); or,
2. implement this in Serf directly, or at least the automatic cert
selection part.
I suspect Subversion will be the better place to start, because Serf
relies entirely on OpenSSL. In any case, if this were to be implemented
in Serf, I frankly wouldn't know where to even start; it's OpenSSL
turtles all the way down, so at the very least there would be a rather
huge-ish refactoring effort involved.
None of the above solves the MFA part, unfortunately.
-- Brane
