TortiseSVN with DoD CAC (Smart Card) configuration help
1,289 views
Skip to first unread message
Delmar Dale
Nov 16, 2012, 4:46:50 PM11/16/12
to us...@tortoisesvn.tigris.org
I work on a DoD project, and we are standing up Subversion in an effort to migrate off CVS. I have installed Subversion Edge on a Linux platform, and I have it setup to authenticate from Smart Card and optionally User/Pass from LDAP. The server setup seems good, it's running https and the certificates on the server are all good as they came from the DoD CA.
On the client machines which are Windows 7 64 bit, access to Subversion with the web browser (IE8) works as expected. When I access the the subversion URL, I am prompted to select the certificate. I select the cert and it signs me in. If I hit cancel it then prompts for user/pass which I can then sign in.
But the main goal is to get TortoiseSVN working. So we installed TortoiseSVN in the testlab (DoD very strict about downloading software) and have been trying to get it to work.
So here is the problem. When trying to checkout with TortoiseSVN it prompts for the certificate, but it doesn't seem to take it, and it then prompts for the user/pass. If I cancel the user/pass dialogs the connection fails. I see 401 errors in the log like this.
10.118.181.50 -- [15/Nov/2012:15:29:00 - 0800] "OPTIONS" /svn/path HTTP1/1" 401 401
I tried setting apache to certificate only login, and TortiseSVN prompts 3 times to choose the cert and then it fails with this error:
Error: OPTIONS of 'https://xxx/svn': SSL handshake Error: failed, client certificate was requested: SSL error: sslv3 alert handshake
It seems for some reason Tortoise isn't passing the selected cert information to Apache. From reading here I found one suggested fix for a similar error was to set this in the servers file.
[global]
http-library = serf
I tried that and it didn't help.
Any help into resolving this issue would be appreciated.
Thank You,
Delmar Dale
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3028919
To unsubscribe from this discussion, e-mail: [users-un...@tortoisesvn.tigris.org].
On the client machines which are Windows 7 64 bit, access to Subversion with the web browser (IE8) works as expected. When I access the the subversion URL, I am prompted to select the certificate. I select the cert and it signs me in. If I hit cancel it then prompts for user/pass which I can then sign in.
But the main goal is to get TortoiseSVN working. So we installed TortoiseSVN in the testlab (DoD very strict about downloading software) and have been trying to get it to work.
So here is the problem. When trying to checkout with TortoiseSVN it prompts for the certificate, but it doesn't seem to take it, and it then prompts for the user/pass. If I cancel the user/pass dialogs the connection fails. I see 401 errors in the log like this.
10.118.181.50 -- [15/Nov/2012:15:29:00 - 0800] "OPTIONS" /svn/path HTTP1/1" 401 401
I tried setting apache to certificate only login, and TortiseSVN prompts 3 times to choose the cert and then it fails with this error:
Error: OPTIONS of 'https://xxx/svn': SSL handshake Error: failed, client certificate was requested: SSL error: sslv3 alert handshake
It seems for some reason Tortoise isn't passing the selected cert information to Apache. From reading here I found one suggested fix for a similar error was to set this in the servers file.
[global]
http-library = serf
I tried that and it didn't help.
Any help into resolving this issue would be appreciated.
Thank You,
Delmar Dale
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3028919
To unsubscribe from this discussion, e-mail: [users-un...@tortoisesvn.tigris.org].
Stefan Küng
Nov 17, 2012, 3:06:55 AM11/17/12
to us...@tortoisesvn.tigris.org
On 16.11.2012 22:46, Delmar Dale wrote:
> I work on a DoD project, and we are standing up Subversion in an effort to migrate off CVS. I have installed Subversion Edge on a Linux platform, and I have it setup to authenticate from Smart Card and optionally User/Pass from LDAP. The server setup seems good, it's running https and the certificates on the server are all good as they came from the DoD CA.
>
> On the client machines which are Windows 7 64 bit, access to Subversion with the web browser (IE8) works as expected. When I access the the subversion URL, I am prompted to select the certificate. I select the cert and it signs me in. If I hit cancel it then prompts for user/pass which I can then sign in.
>
> But the main goal is to get TortoiseSVN working. So we installed TortoiseSVN in the testlab (DoD very strict about downloading software) and have been trying to get it to work.
>
> So here is the problem. When trying to checkout with TortoiseSVN it prompts for the certificate, but it doesn't seem to take it, and it then prompts for the user/pass. If I cancel the user/pass dialogs the connection fails. I see 401 errors in the log like this.
>
> 10.118.181.50 -- [15/Nov/2012:15:29:00 - 0800] "OPTIONS" /svn/path HTTP1/1" 401 401
>
> I tried setting apache to certificate only login, and TortiseSVN prompts 3 times to choose the cert and then it fails with this error:
>
> Error: OPTIONS of 'https://xxx/svn': SSL handshake Error: failed, client certificate was requested: SSL error: sslv3 alert handshake
>
> It seems for some reason Tortoise isn't passing the selected cert information to Apache. From reading here I found one suggested fix for a similar error was to set this in the servers file.
>
> [global]
> http-library = serf
>
> I tried that and it didn't help.
>
> Any help into resolving this issue would be appreciated.
First things you should try:
> I work on a DoD project, and we are standing up Subversion in an effort to migrate off CVS. I have installed Subversion Edge on a Linux platform, and I have it setup to authenticate from Smart Card and optionally User/Pass from LDAP. The server setup seems good, it's running https and the certificates on the server are all good as they came from the DoD CA.
>
> On the client machines which are Windows 7 64 bit, access to Subversion with the web browser (IE8) works as expected. When I access the the subversion URL, I am prompted to select the certificate. I select the cert and it signs me in. If I hit cancel it then prompts for user/pass which I can then sign in.
>
> But the main goal is to get TortoiseSVN working. So we installed TortoiseSVN in the testlab (DoD very strict about downloading software) and have been trying to get it to work.
>
> So here is the problem. When trying to checkout with TortoiseSVN it prompts for the certificate, but it doesn't seem to take it, and it then prompts for the user/pass. If I cancel the user/pass dialogs the connection fails. I see 401 errors in the log like this.
>
> 10.118.181.50 -- [15/Nov/2012:15:29:00 - 0800] "OPTIONS" /svn/path HTTP1/1" 401 401
>
> I tried setting apache to certificate only login, and TortiseSVN prompts 3 times to choose the cert and then it fails with this error:
>
> Error: OPTIONS of 'https://xxx/svn': SSL handshake Error: failed, client certificate was requested: SSL error: sslv3 alert handshake
>
> It seems for some reason Tortoise isn't passing the selected cert information to Apache. From reading here I found one suggested fix for a similar error was to set this in the servers file.
>
> [global]
> http-library = serf
>
> I tried that and it didn't help.
>
> Any help into resolving this issue would be appreciated.
* use a browser and see if you can browse the repository with that.
* make sure you're using the correct url for TSVN: you must use the url
that points to the repository itself, not some web view interface
* Settings dialog->Network->Subversion servers file->Edit
read the comments in the file, then set up your certificate file
ssl-client-cert-file = path/to/your/cert/file
and check if you can access the repository now
* also try the command line client (svn.exe)
* you might get better help on the svn users mailing list since this is
a server setup issue, not really a client problem
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3029005
Delmar Dale
Nov 17, 2012, 4:41:33 PM11/17/12
to us...@tortoisesvn.tigris.org
Yes I can use the browser no problem to go to the repository. https://xxxx:18080/svn
It works as expected. I do believe the server is setup properly from all the documentation I found online, and as I said with the browser it works as expected.
Regarding choosing the certificate file, some tips on how to do this would be appreciated since I'm trying to authenticate with a smartcard. As I said tortoiseSVN opens the prompt and I choose the smart card certificate I would like to use, but tortoiseSVN doesn't seem to actually use it.
There is no certificate file just sitting out in a directory. I can see the certificate in the Windows Certificate Store. How do I specify one of those certificates with Tortoise?
Thank You,
Delmar Dale
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3029101
It works as expected. I do believe the server is setup properly from all the documentation I found online, and as I said with the browser it works as expected.
Regarding choosing the certificate file, some tips on how to do this would be appreciated since I'm trying to authenticate with a smartcard. As I said tortoiseSVN opens the prompt and I choose the smart card certificate I would like to use, but tortoiseSVN doesn't seem to actually use it.
There is no certificate file just sitting out in a directory. I can see the certificate in the Windows Certificate Store. How do I specify one of those certificates with Tortoise?
Thank You,
Delmar Dale
------------------------------------------------------
Delmar Dale
Nov 29, 2012, 12:33:42 PM11/29/12
to us...@tortoisesvn.tigris.org, Delmar Dale
Ok here is another update with my issue. I finally got TortoiseSVN on my DoD PC (previously it was in a testlab only).
Here is what works.
The browser works perfectly authenticating with the CAC Card (smartcard from ActivIdentity)
The Eclipse Plugin Subversive works perfectly as well
TortoiseSVN does not work.
I have the server setup to first look for a client certificate, and if that fails then ask for user/password.
With Tortoise when I try to do a checkout, I am prompted to with a "Windows Security" screen to "Select a Certificate". When I select the certificate and click OK. I then get a user/pass prompt.
I can see in the logs as soon as I click OK on the select the certificate screen that an error comes up in the access log like this.
10.10.10.10 - - [29/Nov/2012....] "OPTIONS" /svn HTTP/1.1" 401 401
I can see there is a "-" where normally I would expect the username to show up. With the browser this is populated with the subject of the client certificate. It seems to me that although I am selecting this certificate in TortoiseSVN it is not passing it to the webserver.
Any assistance would be appreicated. I've got 200+ developers waiting for me to figure this out. I have been directed by the DoD that CAC login must be supported.
Thanks,
Delmar
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3032080
Here is what works.
The browser works perfectly authenticating with the CAC Card (smartcard from ActivIdentity)
The Eclipse Plugin Subversive works perfectly as well
TortoiseSVN does not work.
I have the server setup to first look for a client certificate, and if that fails then ask for user/password.
With Tortoise when I try to do a checkout, I am prompted to with a "Windows Security" screen to "Select a Certificate". When I select the certificate and click OK. I then get a user/pass prompt.
I can see in the logs as soon as I click OK on the select the certificate screen that an error comes up in the access log like this.
10.10.10.10 - - [29/Nov/2012....] "OPTIONS" /svn HTTP/1.1" 401 401
I can see there is a "-" where normally I would expect the username to show up. With the browser this is populated with the subject of the client certificate. It seems to me that although I am selecting this certificate in TortoiseSVN it is not passing it to the webserver.
Any assistance would be appreicated. I've got 200+ developers waiting for me to figure this out. I have been directed by the DoD that CAC login must be supported.
Thanks,
Delmar
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3032080
Stefan Küng
Nov 29, 2012, 1:48:32 PM11/29/12
to us...@tortoisesvn.tigris.org
On 29.11.2012 18:33, Delmar Dale wrote:
> Ok here is another update with my issue. I finally got TortoiseSVN
> on my DoD PC (previously it was in a testlab only).
>
> Here is what works. The browser works perfectly authenticating with
> the CAC Card (smartcard from ActivIdentity)
>
> The Eclipse Plugin Subversive works perfectly as well
>
> TortoiseSVN does not work.
>
> I have the server setup to first look for a client certificate, and
> if that fails then ask for user/password.
>
> With Tortoise when I try to do a checkout, I am prompted to with a
> "Windows Security" screen to "Select a Certificate". When I select
> the certificate and click OK. I then get a user/pass prompt.
>
> I can see in the logs as soon as I click OK on the select the
> certificate screen that an error comes up in the access log like
> this.
>
> 10.10.10.10 - - [29/Nov/2012....] "OPTIONS" /svn HTTP/1.1" 401 401
>
> I can see there is a "-" where normally I would expect the username
> to show up. With the browser this is populated with the subject of
> the client certificate. It seems to me that although I am selecting
> this certificate in TortoiseSVN it is not passing it to the
> webserver.
>
> Any assistance would be appreicated. I've got 200+ developers
> waiting for me to figure this out. I have been directed by the DoD
> that CAC login must be supported.
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3029005
> Ok here is another update with my issue. I finally got TortoiseSVN
> on my DoD PC (previously it was in a testlab only).
>
> Here is what works. The browser works perfectly authenticating with
> the CAC Card (smartcard from ActivIdentity)
>
> The Eclipse Plugin Subversive works perfectly as well
>
> TortoiseSVN does not work.
>
> I have the server setup to first look for a client certificate, and
> if that fails then ask for user/password.
>
> With Tortoise when I try to do a checkout, I am prompted to with a
> "Windows Security" screen to "Select a Certificate". When I select
> the certificate and click OK. I then get a user/pass prompt.
>
> I can see in the logs as soon as I click OK on the select the
> certificate screen that an error comes up in the access log like
> this.
>
> 10.10.10.10 - - [29/Nov/2012....] "OPTIONS" /svn HTTP/1.1" 401 401
>
> I can see there is a "-" where normally I would expect the username
> to show up. With the browser this is populated with the subject of
> the client certificate. It seems to me that although I am selecting
> this certificate in TortoiseSVN it is not passing it to the
> webserver.
>
> Any assistance would be appreicated. I've got 200+ developers
> waiting for me to figure this out. I have been directed by the DoD
> that CAC login must be supported.
* Settings dialog->Network->Subversion servers file->Edit
read the comments in the file, then set up your certificate file
ssl-client-cert-file = path/to/your/cert/file
and check if you can access the repository now
* also try the command line client (svn.exe)
* you might get better help on the svn users mailing list since this is
a server setup issue, not really a client problem
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest interface to (Sub)version control
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3032089
Delmar Dale
Nov 29, 2012, 6:07:15 PM11/29/12
to us...@tortoisesvn.tigris.org
Thank you for your response. This is similar to your last response.
My question before and still is. I do not have a p12 file. The certificate is in the Windows Certificate Store, and was put there by the ActiveIdentity smartcard software.
How do I explicitly specify this type of certificate?
Is there some special path format to tell Tortoise to pull from Windows Certificate Store?
At this point I do not think it is a server issue, as I've read through much documentation and everything checks out. Also IE and Subversive work as expected.
Thanks,
Delmar Dale
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3032145
My question before and still is. I do not have a p12 file. The certificate is in the Windows Certificate Store, and was put there by the ActiveIdentity smartcard software.
How do I explicitly specify this type of certificate?
Is there some special path format to tell Tortoise to pull from Windows Certificate Store?
At this point I do not think it is a server issue, as I've read through much documentation and everything checks out. Also IE and Subversive work as expected.
Thanks,
Delmar Dale
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3032145
Stefan Küng
Nov 30, 2012, 11:59:52 AM11/30/12
to us...@tortoisesvn.tigris.org
On 30.11.2012 00:07, Delmar Dale wrote:
> Thank you for your response. This is similar to your last response.
>
> My question before and still is. I do not have a p12 file. The
> certificate is in the Windows Certificate Store, and was put there by
> the ActiveIdentity smartcard software.
>
> How do I explicitly specify this type of certificate? Is there some
> special path format to tell Tortoise to pull from Windows Certificate
> Store?
>
> At this point I do not think it is a server issue, as I've read
> through much documentation and everything checks out. Also IE and
> Subversive work as expected.
Subversion needs a p12 file for that kind of authentication. TSVN tries
> Thank you for your response. This is similar to your last response.
>
> My question before and still is. I do not have a p12 file. The
> certificate is in the Windows Certificate Store, and was put there by
> the ActiveIdentity smartcard software.
>
> How do I explicitly specify this type of certificate? Is there some
> special path format to tell Tortoise to pull from Windows Certificate
> Store?
>
> At this point I do not think it is a server issue, as I've read
> through much documentation and everything checks out. Also IE and
> Subversive work as expected.
to retrieve that from the cert store, but apparently that fails or the
certificate can not be converted to p12 format properly.
I don't think you'll be able to use TSVN or an official svn client with
your setup.
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest interface to (Sub)version control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
Delmar Dale
Nov 30, 2012, 12:18:04 PM11/30/12
to us...@tortoisesvn.tigris.org
Thank you for the reply.
The reason I think that is should work is that there is a govt software development website called software.forge.mil
On that website is specifically lists TortoiseSVN as being CAC login compatible and says as of TortoiseSVN 1.7.0 the support was added.
My next step is to contact forge.mil for tips.
Specifically this type of authentication is PKCS#11 instead of PKCS#12.
Thanks,
Delmar
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3032392
The reason I think that is should work is that there is a govt software development website called software.forge.mil
On that website is specifically lists TortoiseSVN as being CAC login compatible and says as of TortoiseSVN 1.7.0 the support was added.
My next step is to contact forge.mil for tips.
Specifically this type of authentication is PKCS#11 instead of PKCS#12.
Thanks,
Delmar
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3032392
Andy Levy
Nov 30, 2012, 12:34:50 PM11/30/12
to us...@tortoisesvn.tigris.org
On Fri, Nov 30, 2012 at 12:18 PM, Delmar Dale <delma...@hp.com> wrote:
Thank you for the reply.
The reason I think that is should work is that there is a govt software development website called software.forge.mil
On that website is specifically lists TortoiseSVN as being CAC login compatible and says as of TortoiseSVN 1.7.0 the support was added.
My next step is to contact forge.mil for tips.
If forge.mil says that TSVN is compatible with their setup, asking them for help in configuring it should be your first stop, IMHO. No one here knows how they've set things up or how they tested it.
Delmar Dale
Dec 3, 2012, 6:41:48 PM12/3/12
to us...@tortoisesvn.tigris.org
Here is the latest update.
The CAC smartcard actually has 3 certificates on it. Apparently TortoiseSVN has an issue with this.
If I removed 2 of the certificates from my windows certificate store and left only the "ID" cert, then TortoiseSVN works correctly with the CAC card.
I received this response from forge.mil, and I am waiting on finding out their exact solution.
"I will see if the engineers have the 'how-to'. Sounds like we are getting closer to fixing this.
Our original workaround for users was to tell them to remove the email cert but of course, that is not helpful and only a temporary fix. Whatever we implemented, fixed it for good. Will let you know what they say and pass it along."
Thank you all for help.
Delmar
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3033028
The CAC smartcard actually has 3 certificates on it. Apparently TortoiseSVN has an issue with this.
If I removed 2 of the certificates from my windows certificate store and left only the "ID" cert, then TortoiseSVN works correctly with the CAC card.
I received this response from forge.mil, and I am waiting on finding out their exact solution.
"I will see if the engineers have the 'how-to'. Sounds like we are getting closer to fixing this.
Our original workaround for users was to tell them to remove the email cert but of course, that is not helpful and only a temporary fix. Whatever we implemented, fixed it for good. Will let you know what they say and pass it along."
Thank you all for help.
Delmar
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3033028
Delmar Dale
Dec 4, 2012, 2:43:37 PM12/4/12
to us...@tortoisesvn.tigris.org
Ok the issue is resolved!
What I needed to do was remove the CA Certs from the server for the other certificates that were on the CAC card. I left only the CA Certs for the "ID" certificates on the Apache server and now it's working great, exactly as expected.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3033225
What I needed to do was remove the CA Certs from the server for the other certificates that were on the CAC card. I left only the CA Certs for the "ID" certificates on the Apache server and now it's working great, exactly as expected.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3033225
Stefan Küng
Dec 4, 2012, 3:32:59 PM12/4/12
to us...@tortoisesvn.tigris.org
On 04.12.2012 20:43, Delmar Dale wrote:
> Ok the issue is resolved!
>
> What I needed to do was remove the CA Certs from the server for the
> other certificates that were on the CAC card. I left only the CA
> Certs for the "ID" certificates on the Apache server and now it's
> working great, exactly as expected.
Thanks for reporting back.
> Ok the issue is resolved!
>
> What I needed to do was remove the CA Certs from the server for the
> other certificates that were on the CAC card. I left only the CA
> Certs for the "ID" certificates on the Apache server and now it's
> working great, exactly as expected.
So this is really an issue on the server?
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest interface to (Sub)version control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
Delmar Dale
Dec 4, 2012, 5:34:09 PM12/4/12
to us...@tortoisesvn.tigris.org
While a server change did fix the issue, I think this must be a bug with TortoiseSVN not being able to handle multiple certificates on a SmartCard properly.
The change I made by removing the CA Certs from Apache for the issuers of the unwanted certificates essentially caused them to not be recgonized as valid, and since there is only one left Tortoise used it.
Funny forge.mil wasn't able to answer how they got it working either. All they told me was they had to use "ID" cert instead of "EMAIL" cert, but couldn't tell me how to do it.
I had another colleague mention to me the trick of removing the unneeded CA Certs from Apache as a way to limit the certs an end user is presented to choose from.
By default the package I get from DISA contain all the DoD CA Certs.
I am very happy this is working. Now I can start pushing this out to some developers to really start pounding on it.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3033252
The change I made by removing the CA Certs from Apache for the issuers of the unwanted certificates essentially caused them to not be recgonized as valid, and since there is only one left Tortoise used it.
Funny forge.mil wasn't able to answer how they got it working either. All they told me was they had to use "ID" cert instead of "EMAIL" cert, but couldn't tell me how to do it.
I had another colleague mention to me the trick of removing the unneeded CA Certs from Apache as a way to limit the certs an end user is presented to choose from.
By default the package I get from DISA contain all the DoD CA Certs.
I am very happy this is working. Now I can start pushing this out to some developers to really start pounding on it.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3033252
Jared Jennings
Jan 14, 2013, 6:13:32 PM1/14/13
to us...@tortoisesvn.tigris.org
Delmar, I'm so glad you figured this out. I haven't seen TortoiseSVN 1.7.x work with a CAC until trying what you suggested.
Stefan, for what it's worth, choosing from multiple valid CAC-based certificates did work once for me, with 1.6.99.19370. I would willingly figure out what changed, except that the workarounds mentioned get rid of all those certificate choice boxes, which is much more desirable than getting the 1.6.99 behavior back.
But if my curiosity were to consume me - does 1.6.99.19370 mean that if I wanted to build a copy, I'd check out revision 19370 from the trunk?
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3043442
Stefan, for what it's worth, choosing from multiple valid CAC-based certificates did work once for me, with 1.6.99.19370. I would willingly figure out what changed, except that the workarounds mentioned get rid of all those certificate choice boxes, which is much more desirable than getting the 1.6.99 behavior back.
But if my curiosity were to consume me - does 1.6.99.19370 mean that if I wanted to build a copy, I'd check out revision 19370 from the trunk?
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3043442
Delmar Dale
Feb 13, 2013, 5:54:48 PM2/13/13
to us...@tortoisesvn.tigris.org, Jared Jennings
Jared and Stefan,
Sorry for taking so long to respond. We are going full steam at rolling out Tortoise at our enterprise once I got the CAC problem figured out. All was going well until we encountered a user with a "PIV" card. This card had 2 certificates issued by the same CA. So for this user, Tortoise is prompting for the certificate. And of course we're back to the original issue of, although you select a certifidate, Tortoise doesn't use it.
What I had to do was tell the user to delete one of the certificates from the Windows Certificate Store with a command similar to this "certutil -delstore -user "My" 1ee28a" before they use Tortoise. The certificate gets automatically re-installed when they re-insert their CAC.
There is a concern that these PIV cards are the future, and we need to get this issue resolved before everyone gets upgraded to this type of card.
I advised our development team to test the latest nightly build in the testlab to see if the issue is still there, and if it is, then submit a formal bug report with Tortoise.
I will be leaving this organization in two weeks due to a contract change, so I will find another POC who will follow up on this issue.
Thanks,
Delmar Dale
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3048641
Sorry for taking so long to respond. We are going full steam at rolling out Tortoise at our enterprise once I got the CAC problem figured out. All was going well until we encountered a user with a "PIV" card. This card had 2 certificates issued by the same CA. So for this user, Tortoise is prompting for the certificate. And of course we're back to the original issue of, although you select a certifidate, Tortoise doesn't use it.
What I had to do was tell the user to delete one of the certificates from the Windows Certificate Store with a command similar to this "certutil -delstore -user "My" 1ee28a" before they use Tortoise. The certificate gets automatically re-installed when they re-insert their CAC.
There is a concern that these PIV cards are the future, and we need to get this issue resolved before everyone gets upgraded to this type of card.
I advised our development team to test the latest nightly build in the testlab to see if the issue is still there, and if it is, then submit a formal bug report with Tortoise.
I will be leaving this organization in two weeks due to a contract change, so I will find another POC who will follow up on this issue.
Thanks,
Delmar Dale
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3048641
Delmar Dale
Feb 13, 2013, 7:34:28 PM2/13/13
to us...@tortoisesvn.tigris.org
We jsut tested the latest nightly build, and it still has the issue.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3048643
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3048643
Stefan Küng
Feb 15, 2013, 4:40:27 PM2/15/13
to us...@tortoisesvn.tigris.org, Delmar Dale, Jared Jennings
On 13.02.2013 23:54, Delmar Dale wrote:
> Jared and Stefan,
>
> Sorry for taking so long to respond. We are going full steam at
> rolling out Tortoise at our enterprise once I got the CAC problem
> figured out. All was going well until we encountered a user with a
> "PIV" card. This card had 2 certificates issued by the same CA. So
> for this user, Tortoise is prompting for the certificate. And of
> course we're back to the original issue of, although you select a
> certifidate, Tortoise doesn't use it.
>
> What I had to do was tell the user to delete one of the certificates
> from the Windows Certificate Store with a command similar to this
> "certutil -delstore -user "My" 1ee28a" before they use Tortoise. The
> certificate gets automatically re-installed when they re-insert their
> CAC.
>
> There is a concern that these PIV cards are the future, and we need
> to get this issue resolved before everyone gets upgraded to this type
> of card.
>
> I advised our development team to test the latest nightly build in
> the testlab to see if the issue is still there, and if it is, then
> submit a formal bug report with Tortoise.
I think I know why this doesn't work:
> Jared and Stefan,
>
> Sorry for taking so long to respond. We are going full steam at
> rolling out Tortoise at our enterprise once I got the CAC problem
> figured out. All was going well until we encountered a user with a
> "PIV" card. This card had 2 certificates issued by the same CA. So
> for this user, Tortoise is prompting for the certificate. And of
> course we're back to the original issue of, although you select a
> certifidate, Tortoise doesn't use it.
>
> What I had to do was tell the user to delete one of the certificates
> from the Windows Certificate Store with a command similar to this
> "certutil -delstore -user "My" 1ee28a" before they use Tortoise. The
> certificate gets automatically re-installed when they re-insert their
> CAC.
>
> There is a concern that these PIV cards are the future, and we need
> to get this issue resolved before everyone gets upgraded to this type
> of card.
>
> I advised our development team to test the latest nightly build in
> the testlab to see if the issue is still there, and if it is, then
> submit a formal bug report with Tortoise.
the e_capi module in OpenSSL can use the certificates from the smartcard
directly. However as you've noticed, this only works if there's only one
certificate in the store that matches the request. If there are more,
the e_capi module has an option to show the cert selection dialog itself
and it would work, but that's unusable: you would get that dialog
multiple times for every TSVN command (and with multiple times I mean a
*lot*).
So that option is disabled.
When TSVN shows the cert selection dialog, it has to extract that
certificate from the store (export it) and pass that information back to
the svn library as a file. And here's why it fails: certificates from
smartcards are not exportable!
I have an idea which might work. Problem is with that approach: for
every connection, there's first a connect attempt that will fail because
I would pass an empty/invalid certificate to be used. Only on the retry
the real certificate would be used and then it would work. While the
user wouldn't notice that, I assume that your server log will get an
error entry every time.
I hope to get a test version ready this weekend.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest interface to (Sub)version control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
Stefan Küng
Feb 23, 2013, 4:11:36 PM2/23/13
to Bogardus, Robert K Jr CTR DODHRA DMDC (US), Long, Charles A CIV DODHRA DMDC (US), Calmus, Michael G CTR OSD (US), Jennings, Jared L CTR (US), Dale, Delmar, Dale, Delmar W Jr CTR DODHRA DMDC (US), users
On Wed, Feb 20, 2013 at 10:22 PM, Stefan Küng <torto...@gmail.com> wrote:
Stefan
On 19.02.2013 21:51, Bogardus, Robert K Jr CTR DODHRA DMDC (US) wrote:Since as I mentioned before, this needs to be implemented in serf and the svn library, I can't do it directly in TSVN.
Hi Stefan,
[I'm taking over this issue for DMDC as Delmar is being reassigned shortly.]
Thanks so much for the time you spent looking into this.
Could you suggest how we should proceed? The serf issue you mentioned was last updated in Oct 2011.
If it would help, I can run test nightly builds if you have time to work that approach. (I agree it's very hard to debug that way though -- unless you could print some extensive diagnostics? -- perhaps triggered with some flag setting if there's a concern about bothering other testers with the output.)
But I'll try to implement this in serf myself, and then in the svn library and once that works in TSVN. Not sure when I have the time, maybe this weekend, but don't count on it that I get it working right away...
So, implementing this in serf and/or svn doesn't work either:
Since smartcard certificates and certificates in the cert store are usually marked as "not exportable", there is no way to get them out of the smartcard or the cert store. You can only use them with the windows crypto API, but never ever get their key directly.
Which means to actually use those certificates, de/encrypting data has to be done with the crypto API.
OpenSSL however does not provide callbacks for clients to do that. Only 'engines' (kind of plugins) can do that, and that's what the e_capi engine in OpenSSL actually does.
So: clients can not use those certificates.
No way around that, no tweaks or hacks possible.
It seems the only way to get this really working is to use the e_capi engine in OpenSSL and patch that engine to work better in our situation.
As I mentioned before, the way e_capi works right now is not really usable. A short recap:
If a server requests a certificate, it first checks all available certificates and selects those that match the request.
* if there's only one certificate that matches the request, that certificate is used unconditionally. That's what you see if there's only one certificate on your smartcard, and as you mentioned this works quite well.
(since for some people even this doesn't work, TSVN has patched e_capi to disable the engine completely with a registry entry)
* if there are more than one certificate available that match the request, e_capi would show a dialog to select the certificate. But that selection is not stored/saved/cached. That means for longer checkouts/updates/... you'll get more than one dialog to choose the very same certificate. And the repository browser which makes a separate connection for every listed folder would be completely unusable - you'd get hundreds of those dialogs before you could even see the first file/folder listing.
right now, TSVN has patched e_capi to never show the cert selection dialog, but show its own instead. TSVN caches the selection so you won't get the dialog more than once. Problem is: that only works if the certificate is exportable - as you've seen with your smartcards that have more than one matching cert.
It seems the only way to make this work better is to patch the e_capi engine even more (a perfect solution might not be possible, at least I haven't found one yet):
We have to patch e_capi to save the user choice of the certificate.
Here's how I've implemented this:
* the index of the certificate in the store is saved to the registry
* if another request from the same cert chains is requested, use the saved index and return that certificate without showing the selection dialog
* export a function to remove the cached index for the last connection
This should work fine in most situations.
But: in some situations, this requires user interaction or won't work at all.
* if the order of the certificates in the store/smartcard changes or the user selected the wrong certificate, the connection will fail. And further connections will fail as well. If the server returns an auth error code, then TSVN will automatically clear the cached data from the registry, and the next attempt will show the cert selection dialog again. However if the server does return another error code indicating a connection failure instead, TSVN will not recognize this and not clear the cached cert index. So further connections will fail over and over again. The user must then remove that cached data manually with the registry editor (for now) or in the settings dialog (will do that later).
* if there are multiple repositories the user connects to that have the same certificate requests, but the user must use different certificates for those (e.g., if the user has two certificates, one as 'user' and one as 'admin') then e_capi will repeatedly fail and operations need to be repeated a lot. And depending on the error code, the use would also have to clear the auth data every time.
* worst case scenario: situation as in the previous point, but now with those two repositories connected with svn:externals, and the user is using the repository browser. Here, best thing would be to just disable e_capi completely since you won't get the repo browser to show up properly.
If you've read all my nonsense above: I have a test version for you to try:
http://nightlybuilds.tortoisesvn.net/CAPITest/
http://nightlybuilds.tortoisesvn.net/CAPITest/
Please note that this version is from TSVN trunk, using trunk of the svn library. If you were using TSVN 1.7.x before, you have to upgrade your working copies first (or use the repo browser only).
Do you have a repository where you don't have access to certain subfolders? If yes, please use the repo browser and try to browse to those folders. It would be interesting to see how the patched e_capi reacts in this situation.
If not, please test at least the following:
* run update on a working copy
* show the log
* show the repo browser
always check how many times you have to select the certificate.
And: please also test what happens if you select the wrong certificates of the two you have on your smartcard (I'm guessing only one is valid or can be used to access the repository).
If you need to clear the cached cert selection, use regedit.exe to delete the registry key
HKCU\Software\TortoiseSVN\CAPIAuthz
(you could also change the value of the entry below that key to another value and see what happens then).
I hope it's not too much work for you to test this, but I really need someone with such a setup to test this before I commit my changes.
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
Bogardus, Robert K Jr CTR DODHRA DMDC (US)
Feb 25, 2013, 4:39:50 PM2/25/13
to Stefan Küng, Long, Charles A CIV DODHRA DMDC (US), Calmus, Michael G CTR OSD (US), Jennings, Jared L CTR (US), Dale, Delmar, Dale, Delmar W Jr CTR DODHRA DMDC (US), users
Hi Stefan,
It works perfectly! I've attached the test cases I've run and they all work just fine.
It works perfectly! I've attached the test cases I've run and they all work just fine.
Our repositories are readable by everyone, just some are write-restricted - this version works fine with that.
A function to remove the cached index for the last connection is a great solution - we'll need that for sure.
Let me know if you need any other testing and when you've committed a version we can use.
We really appreciate your help and your quick response.
Thanks so much!
Bob
Bob Bogardus - DMDC Contract Support
DAP Development
robert.k.b...@mail.mil
831/583-2400x4236
DSN 878-2951
* show the log
HKCU\Software\TortoiseSVN\CAPIAuthz
Stefan
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3049805
Stefan Küng
Feb 26, 2013, 2:24:54 PM2/26/13
to Bogardus, Robert K Jr CTR DODHRA DMDC (US), Long, Charles A CIV DODHRA DMDC (US), Calmus, Michael G CTR OSD (US), Jennings, Jared L CTR (US), Dale, Delmar, Dale, Delmar W Jr CTR DODHRA DMDC (US), users
On 25.02.2013 22:39, Bogardus, Robert K Jr CTR DODHRA DMDC (US) wrote:
> Hi Stefan, It works perfectly! I've attached the test cases I've run
> Let me know if you need any other testing and when you've committed a
> version we can use.
Yes. First thanks for testing!
Now, in your test report you have this:
6) Checkout app2 (I have READ-ONLY permission)
- no cert requests
- Edited a file. Tried to commit...
- no cert requests
- Failed (this is correct)
Error: Commit failed
POST of '...': 403 Forbidden
7) Clear cached cert selection from registry
HKCU\Software\TortoiseSVN\CAPIAuthz
...
When the commit failed with "forbidden", did that clear the auth cache
in the registry? If not, what was the exact error message?
I've changed TSVN to clear the cached cert index in case of
authentication errors. But maybe the "403 Forbidden" doesn't get
translated by the svn library into an auth error code.
Anyway: I've committed the e_capi patch now, so all nightly builds will
use it from now on. Note however that this change won't get backported
to the stable branch since it's a major change and not a bugfix.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest interface to (Sub)version control
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3049898
> Hi Stefan, It works perfectly! I've attached the test cases I've run
> and they all work just fine.
>
> Our repositories are readable by everyone, just some are
> write-restricted - this version works fine with that.
>
> A function to remove the cached index for the last connection is a
> great solution - we'll need that for sure.
I'm on it. Should be ready soon.
>
> Our repositories are readable by everyone, just some are
> write-restricted - this version works fine with that.
>
> A function to remove the cached index for the last connection is a
> great solution - we'll need that for sure.
> Let me know if you need any other testing and when you've committed a
> version we can use.
Now, in your test report you have this:
6) Checkout app2 (I have READ-ONLY permission)
- no cert requests
- Edited a file. Tried to commit...
- no cert requests
- Failed (this is correct)
Error: Commit failed
POST of '...': 403 Forbidden
7) Clear cached cert selection from registry
HKCU\Software\TortoiseSVN\CAPIAuthz
...
When the commit failed with "forbidden", did that clear the auth cache
in the registry? If not, what was the exact error message?
I've changed TSVN to clear the cached cert index in case of
authentication errors. But maybe the "403 Forbidden" doesn't get
translated by the svn library into an auth error code.
Anyway: I've committed the e_capi patch now, so all nightly builds will
use it from now on. Note however that this change won't get backported
to the stable branch since it's a major change and not a bugfix.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3049898
Bogardus, Robert K Jr CTR DODHRA DMDC (US)
Feb 26, 2013, 7:55:23 PM2/26/13
to Stefan Küng, Long, Charles A CIV DODHRA DMDC (US), Calmus, Michael G CTR OSD (US), Jennings, Jared L CTR (US), Dale, Delmar, Dale, Delmar W Jr CTR DODHRA DMDC (US), users
Hi Stefan,
Cool. I'll grab the next nightly build.
Cool. I'll grab the next nightly build.
See the attached from some screen shots of the "forbidden" message when trying to WRITE to a READ-ONLY directory. It did NOT clear the auth cache in the registry -- did NOT request a new cert choice. It's almost identical with our current version (1.7.11) doing the same thing... (that screen shot is also in the PDF)
Do you know yet which stable branch this change will appear in? We'd like to keep an eye for it.
We'll use the nightly build for now.
Thanks.
Bob
Bob Bogardus - DMDC Contract Support
DAP Development
robert.k.b...@mail.mil
831/583-2400x4236
DSN 878-2951
-----Original Message-----
From: Stefan Küng [mailto:torto...@gmail.com]
Sent: Tuesday, February 26, 2013 11:25 AM
To: Bogardus, Robert K Jr CTR DODHRA DMDC (US)
Cc: Long, Charles A CIV DODHRA DMDC (US); Calmus, Michael G CTR OSD (US); Jennings, Jared L CTR (US); Dale, Delmar; Dale, Delmar W Jr CTR DODHRA DMDC (US); users
Subject: Re: TortoiseSVN with DoD CAC (Smart Card) configuration help
Stefan
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3049913
Stefan Küng
Feb 27, 2013, 4:22:09 PM2/27/13
to Bogardus, Robert K Jr CTR DODHRA DMDC (US), Long, Charles A CIV DODHRA DMDC (US), Calmus, Michael G CTR OSD (US), Jennings, Jared L CTR (US), Dale, Delmar, Dale, Delmar W Jr CTR DODHRA DMDC (US), users
On 27.02.2013 01:55, Bogardus, Robert K Jr CTR DODHRA DMDC (US) wrote:
> Hi Stefan, Cool. I'll grab the next nightly build.
cause a different way to figure out if the cert index cache needs to be
cleared.
> Do you know yet which stable branch this change will appear in? We'd
> like to keep an eye for it. We'll use the nightly build for now.
As I said: it won't get merged to 1.7.x.
It will be in the upcoming 1.8 and of course all the nightly builds
until then.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest interface to (Sub)version control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3049977
> Hi Stefan, Cool. I'll grab the next nightly build.
>
> See the attached from some screen shots of the "forbidden" message
> when trying to WRITE to a READ-ONLY directory. It did NOT clear the
> auth cache in the registry -- did NOT request a new cert choice. It's
> almost identical with our current version (1.7.11) doing the same
> thing... (that screen shot is also in the PDF)
Thanks for the info. Seems I have to find a way to determine the error
> See the attached from some screen shots of the "forbidden" message
> when trying to WRITE to a READ-ONLY directory. It did NOT clear the
> auth cache in the registry -- did NOT request a new cert choice. It's
> almost identical with our current version (1.7.11) doing the same
> thing... (that screen shot is also in the PDF)
cause a different way to figure out if the cert index cache needs to be
cleared.
> Do you know yet which stable branch this change will appear in? We'd
> like to keep an eye for it. We'll use the nightly build for now.
It will be in the upcoming 1.8 and of course all the nightly builds
until then.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest interface to (Sub)version control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
Bogardus, Robert K Jr CTR DODHRA DMDC (US)
Feb 27, 2013, 7:02:02 PM2/27/13
to Stefan Küng, Long, Charles A CIV DODHRA DMDC (US), Calmus, Michael G CTR OSD (US), Jennings, Jared L CTR (US), Dale, Delmar, Dale, Delmar W Jr CTR DODHRA DMDC (US), users
Hi Stefan,
In our case, restricted folder issue isn't a cert issue. It's a real permission issue. So the current functionality is fine.
In our case, the identity is the same on either cert, so trying a different cert won't matter.
We were just stuck with TSVN not being able to work at all if there were 2 choices.
In our case, restricted folder issue isn't a cert issue. It's a real permission issue. So the current functionality is fine.
In our case, the identity is the same on either cert, so trying a different cert won't matter.
We were just stuck with TSVN not being able to work at all if there were 2 choices.
You are probably thinking of a more general case where someone has different certs that allow them access to different portions of the repository.
In our case, as long as we have a widget to clear the registry, that'll be enough for us if we accidentally pick a bad cert or get a new card with different certs, etc.
Thanks.
Bob
Bob Bogardus - DMDC Contract Support
DAP Development
robert.k.b...@mail.mil
831/583-2400x4236
DSN 878-2951
-----Original Message-----
From: Stefan Küng [mailto:torto...@gmail.com]
Sent: Wednesday, February 27, 2013 1:22 PM
To: Bogardus, Robert K Jr CTR DODHRA DMDC (US)
Cc: Long, Charles A CIV DODHRA DMDC (US); Calmus, Michael G CTR OSD (US); Jennings, Jared L CTR (US); Dale, Delmar; Dale, Delmar W Jr CTR DODHRA DMDC (US); users
Subject: Re: TortoiseSVN with DoD CAC (Smart Card) configuration help
Stefan
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3049992
Stefan Küng
Feb 28, 2013, 1:45:47 PM2/28/13
to Bogardus, Robert K Jr CTR DODHRA DMDC (US), Long, Charles A CIV DODHRA DMDC (US), Calmus, Michael G CTR OSD (US), Jennings, Jared L CTR (US), Dale, Delmar, Dale, Delmar W Jr CTR DODHRA DMDC (US), users
On 28.02.2013 01:02, Bogardus, Robert K Jr CTR DODHRA DMDC (US) wrote:
> Hi Stefan, In our case, restricted folder issue isn't a cert issue.
to access the url. That's why I have to clear the cert selection cache
in that situation.
The next nightly build will do that, and it also has the UI to clear the
cache manually from the settings dialog->saved data page.
http://nightlybuilds.tortoisesvn.net/latest/
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest interface to (Sub)version control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3050062
> Hi Stefan, In our case, restricted folder issue isn't a cert issue.
> It's a real permission issue. So the current functionality is fine.
> In our case, the identity is the same on either cert, so trying a
> different cert won't matter. We were just stuck with TSVN not being
> able to work at all if there were 2 choices.
>
> You are probably thinking of a more general case where someone has
> different certs that allow them access to different portions of the
> repository.
>
> In our case, as long as we have a widget to clear the registry,
> that'll be enough for us if we accidentally pick a bad cert or get a
> new card with different certs, etc.
Well, the 403 error code could be because a wrong certificate was used
> In our case, the identity is the same on either cert, so trying a
> different cert won't matter. We were just stuck with TSVN not being
> able to work at all if there were 2 choices.
>
> You are probably thinking of a more general case where someone has
> different certs that allow them access to different portions of the
> repository.
>
> In our case, as long as we have a widget to clear the registry,
> that'll be enough for us if we accidentally pick a bad cert or get a
> new card with different certs, etc.
to access the url. That's why I have to clear the cert selection cache
in that situation.
The next nightly build will do that, and it also has the UI to clear the
cache manually from the settings dialog->saved data page.
http://nightlybuilds.tortoisesvn.net/latest/
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest interface to (Sub)version control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
Bogardus, Robert K Jr CTR DODHRA DMDC (US)
Mar 7, 2013, 1:19:22 PM3/7/13
to Stefan Küng, Long, Charles A CIV DODHRA DMDC (US), Calmus, Michael G CTR OSD (US), Jennings, Jared L CTR (US), Dale, Delmar, Dale, Delmar W Jr CTR DODHRA DMDC (US), users
Hi Stefan,
Minor issue - the buttons are not active in "the UI to clear the cache manually from the settings dialog->saved data page".
See attached. (From Monday's build, March 4th)
Minor issue - the buttons are not active in "the UI to clear the cache manually from the settings dialog->saved data page".
See attached. (From Monday's build, March 4th)
However, at the bottom of the “Overlay Handlers” section, there is a “Start Registry Editor” link, which takes me right to the CAPIAuthz registry setting you created for us where I can manually edit the registry settings as needed... (Not as user friendly of course)
Thanks.
Bob
Bob Bogardus - DMDC Contract Support
DAP Development
robert.k.b...@mail.mil
831/583-2400x4236
DSN 878-2951
-----Original Message-----
From: Stefan Küng [mailto:torto...@gmail.com]
Sent: Thursday, February 28, 2013 10:46 AM
To: Bogardus, Robert K Jr CTR DODHRA DMDC (US)
Cc: Long, Charles A CIV DODHRA DMDC (US); Calmus, Michael G CTR OSD (US); Jennings, Jared L CTR (US); Dale, Delmar; Dale, Delmar W Jr CTR DODHRA DMDC (US); users
Subject: Re: TortoiseSVN with DoD CAC (Smart Card) configuration help
http://nightlybuilds.tortoisesvn.net/latest/
Stefan
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3050545
Stefan Küng
Mar 7, 2013, 2:29:11 PM3/7/13
to Bogardus, Robert K Jr CTR DODHRA DMDC (US), Long, Charles A CIV DODHRA DMDC (US), Calmus, Michael G CTR OSD (US), Jennings, Jared L CTR (US), Dale, Delmar, Dale, Delmar W Jr CTR DODHRA DMDC (US), users
On 07.03.2013 19:19, Bogardus, Robert K Jr CTR DODHRA DMDC (US) wrote:
> Hi Stefan, Minor issue - the buttons are not active in "the UI to
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest interface to (Sub)version control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3050559
> Hi Stefan, Minor issue - the buttons are not active in "the UI to
> clear the cache manually from the settings dialog->saved data page".
> See attached. (From Monday's build, March 4th)
Fixed in r23977.
> See attached. (From Monday's build, March 4th)
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest interface to (Sub)version control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
Bogardus, Robert K Jr CTR DODHRA DMDC (US)
Mar 8, 2013, 6:48:26 PM3/8/13
to Stefan Küng, Long, Charles A CIV DODHRA DMDC (US), Calmus, Michael G CTR OSD (US), Jennings, Jared L CTR (US), Dale, Delmar, Dale, Delmar W Jr CTR DODHRA DMDC (US), users
Perfect! We're delighted!
Thanks.
Bob
Bob Bogardus - DMDC Contract Support
DAP Development
robert.k.b...@mail.mil
831/583-2400x4236
DSN 878-2951
-----Original Message-----
From: Stefan Küng [mailto:torto...@gmail.com]
Sent: Thursday, March 07, 2013 11:29 AM
To: Bogardus, Robert K Jr CTR DODHRA DMDC (US)
Cc: Long, Charles A CIV DODHRA DMDC (US); Calmus, Michael G CTR OSD (US); Jennings, Jared L CTR (US); Dale, Delmar; Dale, Delmar W Jr CTR DODHRA DMDC (US); users
Subject: Re: TortoiseSVN with DoD CAC (Smart Card) configuration help
On 07.03.2013 19:19, Bogardus, Robert K Jr CTR DODHRA DMDC (US) wrote:
> Hi Stefan, Minor issue - the buttons are not active in "the UI to
> clear the cache manually from the settings dialog->saved data page".
> See attached. (From Monday's build, March 4th)
Fixed in r23977.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest interface to (Sub)version control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3050643
Reply all
Reply to author
Forward
0 new messages