lör 14 juni 2025 kl. 21:09 skrev Branko Čibej <br...@apache.org>: > On 14. 6. 25 17:58, Graham Leggett via dev wrote: > > Hi all, > > I am having a torrid time trying to get the svn client to work on Windows. In > short, every attempt to connect results in "An error occurred during SSL > communication". > > One archeological dig later, it appears that when neon was replaced with > serf, we lost the ability to debug network connections. > > > By the way, neon was replaced because it didn't support HTTP pipelining, > so latency not so good. > > -> d...@serf.apache.org is the better place to discuss this. Serf has some > logging infrastructure, I don't know offhand if Subversion enables it. It's > broken on the 1.4 branch (which is not and was never released) and doesn't > exist in 1.3 , but should work on trunk. >
Graham is using TortoiseSVN, the question was asked there first. TSVN is using Serf 1.3.latest. > > At the same time, we lost the ability to support PKCS11 on Windows. > > > > That's not the case. It's clunky but it's possible. > > https://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.ssl.client > > > Right now, with no error messages, the chances of successfully configuring > an svn client via serf and openssl to connect securely through native Windows > functionality is zero. > > > Not through Windows or macOS native APIs, but sure, using OpenSSL. > > > With the end goal of full support for Windows and MacOS security > functionality (MFA, etc), what is the correct level to fix this at? > > > -> dev@serf, again. There's some work going on right now to add > infrastructure for MFA, but it's just that -- no-one is implementing > multi-factor authentication, as far as I'm aware. > > Should there be an ra_winhttp (for Windows) and ra_cfnetwork (for MacOS)? > > > No. Subversion isn't going to muck around with crypto and HTTP(S) by > itself. Serf is intended to be the abstraction for that. There are two > options: > > 1. teach Subversion to use the Windows cert store/macOS Keychain to > store client certificates (it already uses the latter for passwords and > certificate passphrases); or, > 2. implement this in Serf directly, or at least the automatic cert > selection part. > > I suspect Subversion will be the better place to start, because Serf > relies entirely on OpenSSL. In any case, if this were to be implemented in > Serf, I frankly wouldn't know where to even start; it's OpenSSL turtles all > the way down, so at the very least there would be a rather huge-ish > refactoring effort involved. > There is a hack in TSVN’s version of OpenSSL called the e_capo patch which, if memory serves me correctly is related to certificate selection. I don’t remember the details and I can’t check right now (only have my phone). > > None of the above solves the MFA part, unfortunately. > > -- Brane > Cheers Daniel >
