<if test="${platform == 'win32'}">
<exec program="perl" workingdir="..\..\..\common\openssl">
<arg value="Configure" />
<arg value="VC-WIN32" />
<!-- added the following three args to enable CAC authentication -->
<arg value="enable-capieng" />
<arg value="-DOPENSSL_SSL_CLIENT_ENGINE_AUTO=capi" />
<arg value="-DOPENSSL_CAPIENG_DIALOG" />
<!-- finish modifying args -->
</exec>
<exec program="cmd" workingdir="..\..\..\common\openssl">
<arg value="/c" />
<arg value="ms\do_masm" />
</exec>
<exec program="nmake" workingdir="..\..\..\common\openssl">
<arg value="-f" />
<arg value="ms\nt.mak" />
</exec>
</if>
I've looked at version 1.5.5's OpenSSL.build file and these are the options that were added. My question is whether or not I am missing something? When I install my compiled version and connect to a server that I know works with CAC authentication because I've tried it using version 1.5.5 of TortoiseSVN, it always just displays the "Open client certificate file" dialog. Are there other build files that I must modify?
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=1710400
To unsubscribe from this discussion, e-mail: [users-un...@tortoisesvn.tigris.org].
If you don't want the dialogs, remove the last line.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=1712841
Update: I am currently trying to build version 1.5.5, but compilation is failing, something about external program candle error, but this is probably a discussion for another topic along with how difficult this build process is and everytime I build it's like a new error pops up. Anyways, I will try to see if I can successfully build 1.5.5 with smart card authentication. What I meant to mention in my first post is that I compiled TortoiseSVN 1.6.0 with OpenSSL 0.9.8j and TortoiseSVN 1.6.1 with OpenSSL 0.9.8k with the OpenSSL.build options in my first post. Both compiled and no message in the logs indicated that the capieng would not work. Now I am trying to compile version 1.5.5 with OpenSSL 0.9.8i to see what happens, because that is the recommended version for TortoiseSVN 1.5.5. However, I am still in need of directions for compiling new versions of TortoiseSVN when they are released with the Cyrpto API Engine turned on with a dialog asking for a pin number.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=1714153
Version 1.5.x uses WiX version 2, while for 1.6.x and trunk we require
WiX version 3.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=1714799
However, I still cannot get smart card authentication to work properly for version 1.6.0 and newer with OpenSSL 0.9.8k.
Any thoughts?
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=1717144
Can you describe what exactly is different between those versions?
Also, the reason I had to deactivate this is that it's not really
implemented in Subversion and therefor the default handling of OpenSSL
doesn't work as you might expect...
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=1729191
Are you referring to the TortoiseSVN version or the OpenSSL version? And the answer to both questions from me is "I don't know". That is what I am trying to figure out so that I can successfully compile a version that works with CAC authentication. I was hoping that it would be as simple as setting the three config arguments:
<arg value="enable-capieng" />
<arg value="-DOPENSSL_SSL_CLIENT_ENGINE_AUTO=capi" />
<arg value="-DOPENSSL_CAPIENG_DIALOG" />
in the OpenSSL.build file, but it doesn't look like I am that lucky. I know that in TortoiseSVN a lot has changed between version 1.5.5 and version 1.6.0. I was hoping someone could easily tell me that, "Oh, that functionality no longer exists in version 1.6.0 and we are never going back" In which case, I would tell my customers that they have to install version 1.5.5 and they never get to update to a newer version of TortoiseSVN. Or, tell me that I am just missing a crucial configuration option that will display the "OpenSSL Application SSL Client Certificate" dialog. I was really hoping that I could easily modify some configuration files to get CAC authentication working for any future release of TortoiseSVN, that way I can take advantage of new features and bug fixes of not only TortoiseSVN, but also of OpenSSL.
> Also, the reason I had to deactivate this is that it's not really
> implemented in Subversion and therefor the default handling of OpenSSL
> doesn't work as you might expect...
Does this mean that there is more than just a configuration option for making CAC authentication happen in new releases of TortosieSVN? If so, is it something that can easily be added back into the code base so that a configuration option can be set to compile this functionality? I would be willing to help with this if someone could help me in the right direction. It obviously worked in version 1.5.5, but I do not have any knowledge of the TortoiseSVN software and do not want to waste a lot of time searching for a needle in the haystack.
-lej
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=1753180
I'm referring to the behavior you see. In 1.5.5, I guess you'll get a
dialog? What happens in 1.6? No dialog? A dialog but smartcard doesn't
work? ?
> And the answer to both questions from me is "I don't know". That is what I am trying to figure out so that I can successfully compile a version that works with CAC authentication. I was hoping that it would be as simple as setting the three config arguments:
> <arg value="enable-capieng" />
> <arg value="-DOPENSSL_SSL_CLIENT_ENGINE_AUTO=capi" />
> <arg value="-DOPENSSL_CAPIENG_DIALOG" />
> in the OpenSSL.build file, but it doesn't look like I am that lucky. I know that in TortoiseSVN a lot has changed between version 1.5.5 and version 1.6.0. I was hoping someone could easily tell me that, "Oh, that functionality no longer exists in version 1.6.0 and we are never going back" In which case, I would tell my customers that they have to install version 1.5.5 and they never get to update to a newer version of TortoiseSVN. Or, tell me that I am just missing a crucial configuration option that will display the "OpenSSL Application SSL Client Certificate" dialog. I was really hoping that I could easily modify some configuration files to get CAC authentication working for any future release of TortoiseSVN, that way I can take advantage of new features and bug fixes of not only TortoiseSVN, but also of OpenSSL.
>
>> Also, the reason I had to deactivate this is that it's not really
>> implemented in Subversion and therefor the default handling of OpenSSL
>> doesn't work as you might expect...
>
> Does this mean that there is more than just a configuration option for making CAC authentication happen in new releases of TortosieSVN? If so, is it something that can easily be added back into the code base so that a configuration option can be set to compile this functionality? I would be willing to help with this if someone could help me in the right direction. It obviously worked in version 1.5.5, but I do not have any knowledge of the TortoiseSVN software and do not want to waste a lot of time searching for a needle in the haystack.
Well, the whole capi stuff if used right should be implemented in svn
(serf and/or neon to be exact). The option OPENSSL_CAPIENG_DIALOG is
merely a workaround for apps that don't implement capi themselves. For
example, svn would show its own dialogs instead of the default ones
built in openssl and allow the user to 'save' the selected certificate
so the dialog doesn't pop up for every connection.
But other than that, it should work the same in 1.6 as it did in 1.5.5 -
there were no changes in TSVN and/or svn which would change that (at
least not that I'm aware of).
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=1753890
In version 1.5.5 I see a "OpenSSL Application SSL Client Certificate" dialog that prompts a user to select a certificate to use from their CAC/smart card and enter a pin number, which is what I want. In every version other than version 1.5.5 I just get a "Open client certificate file" dialog that prompts a user to select a certificate file from the hard drive.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=1754196
maybe you can compare the openssl versions (e.g. with winmerge) and
check what's changed.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=1754242
Stefan,
Maybe I'm misunderstanding you, but something definitely was changed. 1.5.5 will allow you to select certificates from a smart card (though as you say it does ask again on every connect) while newer versions only allow you to select file based certificates.
It appears to have been changed as a result of this thread:
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=92849
and a little more info:
http://groups.google.com/group/tortoisesvn/browse_thread/thread/18d88aa34c7c944e
I'd greatly appreciate any help.
Thanks,
Patrick
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2056291
I have compiled newer versions of TortoiseSVN with CAC authentication
following the steps in the build.txt file, but you have to take some
files from TortoiseSVN 1.5.5. Also, you can only use OpenSSL 0.9.8i,
not a newer version. I copied OpenSSL.build, VC-32.pl, and ossl_typ.h
from 1.5.5 to 1.6.1 in their appropriate locations, then everything
compiles fine using nant release setup.
The change seems to be in OpenSSL for using capi, but I'm not sure if
modifications need to be made to TortoiseSVN or OpenSSL so that newer
versions of OpenSSL can be used with TortoiseSVN with CAC
authentication.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2057138
Comparing OpenSSL 0.9.8k with 0.9.8k reveals that capieng has to be
enabled now with
experimental-capieng
instead of
enable-capieng
this change was made because capieng is still considered experimental
and should therefore not be as easily enabled as other options.
So, change the OpenSSL.build file and replace the lines
<arg value="enable-capieng" />
with
<arg value="experimental-capieng" />
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2057870
Also, do you have any pointers for the Apache configuration? We thought we had it figured out but something is wrong. When we access the repository through a web browser, we are prompted for a CAC and can access the site. However, pointing TortoiseSVN to the same URL results in a prompt for a file based certificate, even with version 1.5.5.
Thanks,
Patrick
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2058301
No, that's the reason why I disabled it again in TSVN.
To get such a feature (e.g., using a default certificate or even save a
specific certificate like the "save authentication" does for 'normal'
authentication) it has to be implemented in the Subversion library and
serf/neon.
btw: if you guys keep compiling TSVN yourself to get capieng compiled
in, but don't send mails to the Subversion list asking for this feature,
it will never get implemented. Seriously, send mails there and request
that feature!
> Also, do you have any pointers for the Apache configuration? We
> thought we had it figured out but something is wrong. When we access
> the repository through a web browser, we are prompted for a CAC and
> can access the site. However, pointing TortoiseSVN to the same URL
> results in a prompt for a file based certificate, even with version
> 1.5.5.
Did you specify
<arg value="-DOPENSSL_CAPIENG_DIALOG" />
in the OpenSSL.build file?
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2058351
That is what I thought. Thanks for confirming that.
> btw: if you guys keep compiling TSVN yourself to get capieng compiled
> in, but don't send mails to the Subversion list asking for this feature,
> it will never get implemented. Seriously, send mails there and request
> that feature!
Sorry, I was told to investigate the possibility of using smart card
certificates in place of username/password and haven't actually made
it to the point of compiling it myself; I just wanted to see if it was
an option if we are told that we must make that switch immediately.
I will be sure to submit the feature request; do I just send it to
the Subversion dev mailing list (sorry, I'm pretty new to all this).
> Did you specify
> <arg value="-DOPENSSL_CAPIENG_DIALOG" />
> in the OpenSSL.build file?
Actually, I was connecting with the 1.5.5 release, not building my own.
There is something about our Apache configuration that isn't
quite right, but I'm not sure what it is.
Thanks again for the help,
Patrick
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2058592
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2335454
-------------------
So, change the OpenSSL.build file and replace the lines
<arg value="enable-capieng" />
with
<arg value="experimental-capieng" />
--
View this message in context: http://old.nabble.com/Compiling-with-capieng-enabled-for-smart-card-authentication-tp23039249p31785575.html
Sent from the tortoisesvn - users mailing list archive at Nabble.com.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759107
The nightly builds are already compiling with capieng enabled.
If you like, you could try one of those.
And if you do, would you be willing to help me test some changes I like
to implement? You'd have to have two matching certificates in your cert
store so you get a dialog from OpenSSL to choose one of those certificates.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759114
Took today's build and was being prompted for the CAC pin properly (several
times, as indicated above).
Will be glad to help with the tests. I assume you have a URL you'd like me
to hit, along w/ the certs? Instructions on using the certs would be
helpful. If they can be saved to a file, that will be easy for me. If they
need to be put in the java cert store or such, I'm less familiar w/ that
process, though I've done it.
Stefan Küng wrote:
>
> The nightly builds are already compiling with capieng enabled.
> If you like, you could try one of those.
>
> And if you do, would you be willing to help me test some changes I like
> to implement? You'd have to have two matching certificates in your cert
> store so you get a dialog from OpenSSL to choose one of those
> certificates.
>
> Stefan
>
--
View this message in context: http://old.nabble.com/Compiling-with-capieng-enabled-for-smart-card-authentication-tp23039249p31786474.html
Sent from the tortoisesvn - users mailing list archive at Nabble.com.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759119
You're only asked for the pin and not to select a specific certificate?
That means you only have one certificate that matches. Unfortunately
that's not what I'm trying to test.
Maybe you can add another certificate that matches but isn't valid, e.g.
an expired one?
> Will be glad to help with the tests. I assume you have a URL you'd like me
> to hit, along w/ the certs? Instructions on using the certs would be
> helpful. If they can be saved to a file, that will be easy for me. If they
> need to be put in the java cert store or such, I'm less familiar w/ that
> process, though I've done it.
I'm not quite ready yet with my test build. Still trying to figure some
things out. But I'll be ready soon. I'll post a link to the test version
as soon as I'm ready.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759131
Stefan Küng wrote:
>
> You're only asked for the pin and not to select a specific certificate?
> That means you only have one certificate that matches. Unfortunately
> that's not what I'm trying to test.
> Maybe you can add another certificate that matches but isn't valid, e.g.
> an expired one?
>
>> Will be glad to help with the tests. I assume you have a URL you'd like
>> me
>> to hit, along w/ the certs? Instructions on using the certs would be
>> helpful. If they can be saved to a file, that will be easy for me. If
>> they
>> need to be put in the java cert store or such, I'm less familiar w/ that
>> process, though I've done it.
>
> I'm not quite ready yet with my test build. Still trying to figure some
> things out. But I'll be ready soon. I'll post a link to the test version
> as soon as I'm ready.
>
> Stefan
>
--
View this message in context: http://old.nabble.com/Compiling-with-capieng-enabled-for-smart-card-authentication-tp23039249p31787022.html
Sent from the tortoisesvn - users mailing list archive at Nabble.com.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759132
Unfortunately not, it requires two identity certs since email certs
aren't considered for the authentication with the svn repo. So all
that's left is one cert and if there's only one, you don't get a dialog
asking you to choose which cert to use - since there's only one, that
cert is used without asking you first.
But I had another idea which wouldn't require two matching certs in the
store. I'll have a test msi ready soon...
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759445
Please install the test version from here:
http://nightlybuilds.tortoisesvn.net/latest/
either in the win32 or x64 folder (not in the full/small folders).
You should still be able to get access to the repository if your
certificate is valid. Only expired certs are now discarded
automatically.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759465
BTW, I did get prompted to choose b/w the e-mail and ID cert.
Thanks for the upgrade! Glad to see this functionality is on your radar.
Will be looking for it in the next official release(?)
-Ronnie
p.s. No expired certs on my card, so that functionality remains untested
Stefan Küng wrote:
>
> On Tue, Jun 7, 2011 at 08:25, Stefan Küng <torto...@gmail.com> wrote:
>> On 06.06.2011 22:51, ronnie_and_sandy wrote:
>>>
>>> Well, the CAC has an e-mail cert and an identity cert. Is that good
>>> enough
>>> for your test?
>>
>> Unfortunately not, it requires two identity certs since email certs
>> aren't
>> considered for the authentication with the svn repo. So all that's left
>> is
>> one cert and if there's only one, you don't get a dialog asking you to
>> choose which cert to use - since there's only one, that cert is used
>> without
>> asking you first.
>>
>> But I had another idea which wouldn't require two matching certs in the
>> store. I'll have a test msi ready soon...
>
> Please install the test version from here:
> http://nightlybuilds.tortoisesvn.net/latest/
>
> either in the win32 or x64 folder (not in the full/small folders).
>
> You should still be able to get access to the repository if your
> certificate is valid. Only expired certs are now discarded
> automatically.
>
> Stefan
>
:-D:-D:-D:-D:-D:-D:-D
--
View this message in context: http://old.nabble.com/Compiling-with-capieng-enabled-for-smart-card-authentication-tp23039249p31792101.html
Sent from the tortoisesvn - users mailing list archive at Nabble.com.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759607
Thanks for testing!
> BTW, I did get prompted to choose b/w the e-mail and ID cert.
Now that's the exact situation I want to test :)
You see, getting prompted to select a certificate can get annoying
really fast.
So I have to find a way to store the selection so you won't get prompted
anymore for every single connection TSVN has to make to the repository.
Question: if you chose the wrong certificate, do you get an error from
TSVN or do you then get prompted again for a certificate?
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759610
Yup. I've gotta baby-sit the commit until it is over.
Stefan Küng wrote:
>
> So I have to find a way to store the selection so you won't get prompted
> anymore for every single connection TSVN has to make to the repository.
>
> Question: if you chose the wrong certificate, do you get an error from
> TSVN or do you then get prompted again for a certificate?
>
Both. I got prompted, chose the wrong cert again, and got an error. The
commit failed so all sends were rolled back.
Stefan Küng wrote:
>
> Stefan
>
--
View this message in context: http://old.nabble.com/Compiling-with-capieng-enabled-for-smart-card-authentication-tp23039249p31793382.html
Sent from the tortoisesvn - users mailing list archive at Nabble.com.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759613
I've uploaded another test version.
This time I disabled the capi engine in OpenSSL. Instead I'm trying to
get the certs from the cert store from the svn lib callback myself and
then return that cert back to the svn lib. If this works, I can add an
option to store the selected cert so the user doesn't have to choose
for every connection.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759643
did you have a chance to test this new version?
Because if this would work, I'll have a lot of work to do to make it
work perfectly.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2760531
If there is more than one certificate that matches the request in the
certificate store, TSVN (not OpenSSL like before) shows the cert
selection dialog, and stores the selected certificate (only the index
of the certificate in the store, not the certificate itself) so
further auth requests can be handled automatically. So you should only
get asked once for the certificate.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2761984