CAPI regression when server running OpenSSL 1.1
58 views
Skip to first unread message
Thomas Åkesson
Sep 9, 2019, 5:11:45 AM9/9/19
to TortoiseSVN-dev
Hi,
Moving this discussion to dev because I believe the technical issue is now fairly well isolated.
There is a regression in the CAPI functionality (getting client cert from Windows personal cert store) when the server is running OpenSSL 1.1.1 with TLS 1.2 enabled (e.g. Ubuntu 18.04 LTS). This affects TortoiseSVN 1.10.x and 1.12.x according to my testing, while 1.9.7 works.
The same client cert works fine when configured in servers file so the issue is not old ciphers.
I have found this issue:
Also olszomal is on target here:
Discussion in users group:
Is it possible to downgrade OpenSSL in TSVN until OpenSSL resolves the issue?
Thanks,
Thomas Å.
Stefan
Sep 11, 2019, 3:26:48 AM9/11/19
to TortoiseSVN-dev
Is it possible to downgrade OpenSSL in TSVN until OpenSSL resolves the issue?
Sorry, that's not possible.
Thomas Åkesson
Feb 26, 2020, 5:53:38 AM2/26/20
to TortoiseSVN-dev
A summary in order to conclude this thread and clarify the ramifications.
Basically, CAPI for client certificate is rapidly becoming obsolete and should perhaps be disabled by default in an upcoming release? Given that Subversion 1.14 might be an LTS, it could be a suitable time to disable CAPI starting with TSVN 1.14.
The technical background is explained in the below OpenSSL issue. Client certificates via OpenSSL CAPI does not work when the server supports TLS 1.2 or 1.3 (the server must be reverted to TLS 1.1). There are no plans to address this in the OpenSSL project.
I am working on replacing CAPI with a web page that guides users through the process of storing the cert and passphrase in the Subversion auth cache. I will start a separate thread related to some challenges there.
Thanks,
Thomas Å.
Reply all
Reply to author
Forward
0 new messages