Windows Certificate Store / OpenSSL CAPI

1,868 views
Skip to first unread message

Gero Kuehn

unread,
Oct 14, 2011, 6:17:30 AM10/14/11
to us...@tortoisesvn.tigris.org
Hello !
Version 1.7 seems to require that client certificates are stored in the Windows Certificate store.

For a couple of reasons I do not intend to discuss here, I do not want to have my Certificate(s) installed in this engine. I prefer to keep them as .p12 files like it was working before.

The current version is not usable for me this way.

Is there any way to get back to the old behaviour ?

Thank you !

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2855166

To unsubscribe from this discussion, e-mail: [users-un...@tortoisesvn.tigris.org].

Stefan Küng

unread,
Oct 14, 2011, 6:21:18 AM10/14/11
to us...@tortoisesvn.tigris.org
On 14.10.2011 12:17, Gero Kuehn wrote:
> Hello ! Version 1.7 seems to require that client certificates are
> stored in the Windows Certificate store.
>
> For a couple of reasons I do not intend to discuss here, I do not
> want to have my Certificate(s) installed in this engine. I prefer to
> keep them as .p12 files like it was working before.

For reasons I do not intend to discuss here, I do not want to change
this in TSVN.

> The current version is not usable for me this way.

Then don't.

> Is there any way to get back to the old behaviour ?

edit the servers file in %APPDATA%\Subversion and configure your p12
file there.

Stefan

--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2855167

Gero Kuehn

unread,
Oct 14, 2011, 7:03:12 PM10/14/11
to us...@tortoisesvn.tigris.org
Hello Stefan !

> For reasons I do not intend to discuss here, I do
> not want to change this in TSVN.

There is no reason to be offended. I only wanted to avoid the usual flamewars.

My list of reasons includes:
- the windows certificate store does not backup very well (=at all) using our current system
- Internet explorer should not have access to the same certificates as my SVN client
- it is a standard target for trojans/virus software (stealing keys)
- I do not trust the Windows Cryptography APIs at all (you asked for it)
- I need to change certificates frequently (to ones with less privileges) to test per-directory access controls before releasing these new certificates to the intended recipient(s)

Especially the last one is the real issue for me because automatic certificate selections and the GUIs require significantly more time to change/reconfigure than the previous file solution.

> edit the servers file in %APPDATA%\Subversion and configure your p12
file there.

Thanks for the hint.... seriously.

But due to your friendly response, let me make one thing clear for you: I appreciate what you do, but before posting here, I have spent quite some time searching for any kind of information about this issue. Finding out that this is an openssl "feature" and not something caused by TSVN directly was by far the hardest part. The documentation I saw did NOT point me into that direction.

1.7 is only a few days old and I doubt that I am the only one having issues with that supposedly perfect design change. Unless these users find this topic... enjoy the "feedback" wave rolling into your direction.

Gero

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2855357

Dale McCoy

unread,
Oct 15, 2011, 1:00:26 AM10/15/11
to us...@tortoisesvn.tigris.org
On Fri, Oct 14, 2011 at 19:03, Gero Kuehn <tigrisor...@gkware.com> wrote:
> I have spent quite some time searching for any kind of information
> about this issue.

For better or for worse, the default assumption in any support forum
is that the querrent did not do the research. If you did do the
research, it is in your best interest to demonstrate (or at least
mention) that.

> Finding out that this is an openssl "feature" and
> not something caused by TSVN directly was by far the hardest part.
> The documentation I saw did NOT point me into that direction.

Where were you looking? What documentation did you see? If Stefan
knows where you expected to find this information, he can put it
there. A mere "I couldn't find it" doesn't make it easy to improve the
docs, though.

Dale McCoy

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2855659

Stefan Küng

unread,
Oct 15, 2011, 4:01:58 AM10/15/11
to us...@tortoisesvn.tigris.org
On 15.10.2011 01:03, Gero Kuehn wrote:
> Hello Stefan !
>> For reasons I do not intend to discuss here, I do not want to
>> change this in TSVN.
>
> There is no reason to be offended. I only wanted to avoid the usual
> flamewars.
>
> My list of reasons includes: - the windows certificate store does not
> backup very well (=at all) using our current system

not really a reason: you can back up the p12 file before you import it.

> - Internet explorer should not have access to the same certificates
> as my SVN client

Don't see a reason why, but ok.

> - it is a standard target for trojans/virus software (stealing keys)

sure, but so are the well known locations for popular tools like svn
clients.

> - I do not trust the Windows Cryptography APIs at all (you asked for
> it)

any data to back up this paranoia?

> - I need to change certificates frequently (to ones with less
> privileges) to test per-directory access controls before releasing
> these new certificates to the intended recipient(s)
>
> Especially the last one is the real issue for me because automatic
> certificate selections and the GUIs require significantly more time
> to change/reconfigure than the previous file solution.

if there are more than one cert in the store that could match, TSVN will
show a dialog from which you can choose the cert. So you could just add
your test certs to the store as well.

>> edit the servers file in %APPDATA%\Subversion and configure your
>> p12
> file there.
>
> Thanks for the hint.... seriously.
>
> But due to your friendly response, let me make one thing clear for
> you: I appreciate what you do, but before posting here, I have spent
> quite some time searching for any kind of information about this
> issue. Finding out that this is an openssl "feature" and not
> something caused by TSVN directly was by far the hardest part. The
> documentation I saw did NOT point me into that direction.

that openssl feature only works if there's only one single cert in the
store that matches the request. If there are more, it would still just
use either the first one that matches (even if you can't login with it)
or show a selection dialog for every single connection.

TSVN fixed this by patching OpenSSL and providing its own selection
dialog where you can store which cert you chose so it doesn't ask again
for every connection.


Stefan


--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2855844

Reply all
Reply to author
Forward
0 new messages