Compiling with capieng enabled for smart card authentication

47 views
Skip to first unread message

Lucas Johnson

unread,
Apr 14, 2009, 9:10:13 AM4/14/09
to us...@tortoisesvn.tigris.org
I read a post by someone else who mentioned that version 1.5.5 of TortoiseSVN had the capieng enabled by default. This option has to be turned on before smart cards, or Common Access Cards (CAC), can be used for authentication. I tried version 1.5.5 and it worked perfectly for me. However, when I try to custom build version 1.6.0 or 1.6.1, these are the only two versions that I have tried so far, I cannot get smart card authentication to work with the options that I believe are turned on in version 1.5.5. I have followed the instructions in the build.txt file and I can successfully build the resulting Windows installer package (.msi) file. So I have modified default.build.user, doc/doc.build.user, Languages.txt, and OpenSSL.build. In OpenSSL.build my win32 section looks like the following:

<if test="${platform == 'win32'}">
<exec program="perl" workingdir="..\..\..\common\openssl">
<arg value="Configure" />
<arg value="VC-WIN32" />
<!-- added the following three args to enable CAC authentication -->
<arg value="enable-capieng" />
<arg value="-DOPENSSL_SSL_CLIENT_ENGINE_AUTO=capi" />
<arg value="-DOPENSSL_CAPIENG_DIALOG" />
<!-- finish modifying args -->
</exec>
<exec program="cmd" workingdir="..\..\..\common\openssl">
<arg value="/c" />
<arg value="ms\do_masm" />
</exec>
<exec program="nmake" workingdir="..\..\..\common\openssl">
<arg value="-f" />
<arg value="ms\nt.mak" />
</exec>
</if>

I've looked at version 1.5.5's OpenSSL.build file and these are the options that were added. My question is whether or not I am missing something? When I install my compiled version and connect to a server that I know works with CAC authentication because I've tried it using version 1.5.5 of TortoiseSVN, it always just displays the "Open client certificate file" dialog. Are there other build files that I must modify?

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=1710400

To unsubscribe from this discussion, e-mail: [users-un...@tortoisesvn.tigris.org].

Stefan Küng

unread,
Apr 14, 2009, 12:30:54 PM4/14/09
to us...@tortoisesvn.tigris.org
Lucas Johnson wrote:
> I read a post by someone else who mentioned that version 1.5.5 of TortoiseSVN had the capieng enabled by default. This option has to be turned on before smart cards, or Common Access Cards (CAC), can be used for authentication. I tried version 1.5.5 and it worked perfectly for me. However, when I try to custom build version 1.6.0 or 1.6.1, these are the only two versions that I have tried so far, I cannot get smart card authentication to work with the options that I believe are turned on in version 1.5.5. I have followed the instructions in the build.txt file and I can successfully build the resulting Windows installer package (.msi) file. So I have modified default.build.user, doc/doc.build.user, Languages.txt, and OpenSSL.build. In OpenSSL.build my win32 section looks like the following:
>
> <if test="${platform == 'win32'}">
> <exec program="perl" workingdir="..\..\..\common\openssl">
> <arg value="Configure" />
> <arg value="VC-WIN32" />
> <!-- added the following three args to enable CAC authentication -->
> <arg value="enable-capieng" />
> <arg value="-DOPENSSL_SSL_CLIENT_ENGINE_AUTO=capi" />
> <arg value="-DOPENSSL_CAPIENG_DIALOG" />

If you don't want the dialogs, remove the last line.

Stefan

--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=1712841

signature.asc

Lucas Johnson

unread,
Apr 14, 2009, 2:07:12 PM4/14/09
to us...@tortoisesvn.tigris.org
No, I think the -DOPENSSL_CAPIENG_DIALOG option is the only way a user will be asked for a pin. Entering a pin is how smart cards/CAC cards work.

Update: I am currently trying to build version 1.5.5, but compilation is failing, something about external program candle error, but this is probably a discussion for another topic along with how difficult this build process is and everytime I build it's like a new error pops up. Anyways, I will try to see if I can successfully build 1.5.5 with smart card authentication. What I meant to mention in my first post is that I compiled TortoiseSVN 1.6.0 with OpenSSL 0.9.8j and TortoiseSVN 1.6.1 with OpenSSL 0.9.8k with the OpenSSL.build options in my first post. Both compiled and no message in the logs indicated that the capieng would not work. Now I am trying to compile version 1.5.5 with OpenSSL 0.9.8i to see what happens, because that is the recommended version for TortoiseSVN 1.5.5. However, I am still in need of directions for compiling new versions of TortoiseSVN when they are released with the Cyrpto API Engine turned on with a dialog asking for a pin number.

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=1714153

Stefan Küng

unread,
Apr 14, 2009, 3:06:37 PM4/14/09
to us...@tortoisesvn.tigris.org
Lucas Johnson wrote:
> No, I think the -DOPENSSL_CAPIENG_DIALOG option is the only way a
> user will be asked for a pin. Entering a pin is how smart cards/CAC
> cards work.
>
> Update: I am currently trying to build version 1.5.5, but compilation
> is failing, something about external program candle error, but this

Version 1.5.x uses WiX version 2, while for 1.6.x and trunk we require
WiX version 3.


Stefan

--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=1714799

signature.asc

Lucas Johnson

unread,
Apr 14, 2009, 6:29:20 PM4/14/09
to us...@tortoisesvn.tigris.org
Thanks, I checked my PATH and realized that I still had WiX version 3 in my PATH. Changing this to WiX version 2 solved my problem for compiling version 1.5.5. And I was able to successfully get smart card authentication working building version 1.5.5.

However, I still cannot get smart card authentication to work properly for version 1.6.0 and newer with OpenSSL 0.9.8k.

Any thoughts?

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=1717144

Stefan Küng

unread,
Apr 15, 2009, 12:11:07 PM4/15/09
to us...@tortoisesvn.tigris.org
Lucas Johnson wrote:
> Thanks, I checked my PATH and realized that I still had WiX version 3
> in my PATH. Changing this to WiX version 2 solved my problem for
> compiling version 1.5.5. And I was able to successfully get smart
> card authentication working building version 1.5.5.
>
> However, I still cannot get smart card authentication to work
> properly for version 1.6.0 and newer with OpenSSL 0.9.8k.
>
> Any thoughts?

Can you describe what exactly is different between those versions?
Also, the reason I had to deactivate this is that it's not really
implemented in Subversion and therefor the default handling of OpenSSL
doesn't work as you might expect...

Stefan

--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=1729191

signature.asc

web...@tigris.org

unread,
Apr 16, 2009, 3:17:08 PM4/16/09
to us...@tortoisesvn.tigris.org
> Can you describe what exactly is different between those versions?

Are you referring to the TortoiseSVN version or the OpenSSL version? And the answer to both questions from me is "I don't know". That is what I am trying to figure out so that I can successfully compile a version that works with CAC authentication. I was hoping that it would be as simple as setting the three config arguments:


<arg value="enable-capieng" />
<arg value="-DOPENSSL_SSL​_CLIENT_ENGINE_AUTO=​capi" />
<arg value="-DOPENSSL_CAP​IENG_DIALOG" />

in the OpenSSL.build file, but it doesn't look like I am that lucky. I know that in TortoiseSVN a lot has changed between version 1.5.5 and version 1.6.0. I was hoping someone could easily tell me that, "Oh, that functionality no longer exists in version 1.6.0 and we are never going back" In which case, I would tell my customers that they have to install version 1.5.5 and they never get to update to a newer version of TortoiseSVN. Or, tell me that I am just missing a crucial configuration option that will display the "OpenSSL Application SSL Client Certificate" dialog. I was really hoping that I could easily modify some configuration files to get CAC authentication working for any future release of TortoiseSVN, that way I can take advantage of new features and bug fixes of not only TortoiseSVN, but also of OpenSSL.

> Also, the reason I had to deactivate this is that it's not really
> implemented in Subversion and therefor the default handling of OpenSSL
> doesn't work as you might expect...

Does this mean that there is more than just a configuration option for making CAC authentication happen in new releases of TortosieSVN? If so, is it something that can easily be added back into the code base so that a configuration option can be set to compile this functionality? I would be willing to help with this if someone could help me in the right direction. It obviously worked in version 1.5.5, but I do not have any knowledge of the TortoiseSVN software and do not want to waste a lot of time searching for a needle in the haystack.

-lej

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=1753180

Stefan Küng

unread,
Apr 16, 2009, 3:56:17 PM4/16/09
to us...@tortoisesvn.tigris.org
web...@tigris.org wrote:
>> Can you describe what exactly is different between those versions?
>
> Are you referring to the TortoiseSVN version or the OpenSSL version?

I'm referring to the behavior you see. In 1.5.5, I guess you'll get a
dialog? What happens in 1.6? No dialog? A dialog but smartcard doesn't
work? ?

> And the answer to both questions from me is "I don't know". That is what I am trying to figure out so that I can successfully compile a version that works with CAC authentication. I was hoping that it would be as simple as setting the three config arguments:
> <arg value="enable-capieng" />
> <arg value="-DOPENSSL_SSL​_CLIENT_ENGINE_AUTO=​capi" />
> <arg value="-DOPENSSL_CAP​IENG_DIALOG" />
> in the OpenSSL.build file, but it doesn't look like I am that lucky. I know that in TortoiseSVN a lot has changed between version 1.5.5 and version 1.6.0. I was hoping someone could easily tell me that, "Oh, that functionality no longer exists in version 1.6.0 and we are never going back" In which case, I would tell my customers that they have to install version 1.5.5 and they never get to update to a newer version of TortoiseSVN. Or, tell me that I am just missing a crucial configuration option that will display the "OpenSSL Application SSL Client Certificate" dialog. I was really hoping that I could easily modify some configuration files to get CAC authentication working for any future release of TortoiseSVN, that way I can take advantage of new features and bug fixes of not only TortoiseSVN, but also of OpenSSL.
>
>> Also, the reason I had to deactivate this is that it's not really
>> implemented in Subversion and therefor the default handling of OpenSSL
>> doesn't work as you might expect...
>
> Does this mean that there is more than just a configuration option for making CAC authentication happen in new releases of TortosieSVN? If so, is it something that can easily be added back into the code base so that a configuration option can be set to compile this functionality? I would be willing to help with this if someone could help me in the right direction. It obviously worked in version 1.5.5, but I do not have any knowledge of the TortoiseSVN software and do not want to waste a lot of time searching for a needle in the haystack.

Well, the whole capi stuff if used right should be implemented in svn
(serf and/or neon to be exact). The option OPENSSL_CAP​IENG_DIALOG is
merely a workaround for apps that don't implement capi themselves. For
example, svn would show its own dialogs instead of the default ones
built in openssl and allow the user to 'save' the selected certificate
so the dialog doesn't pop up for every connection.

But other than that, it should work the same in 1.6 as it did in 1.5.5 -
there were no changes in TSVN and/or svn which would change that (at
least not that I'm aware of).

Stefan

--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=1753890

signature.asc

web...@tigris.org

unread,
Apr 16, 2009, 4:13:45 PM4/16/09
to us...@tortoisesvn.tigris.org
> I'm referring to the behavior you see. In 1.5.5, I guess you'll get a
> dialog? What happens in 1.6? No dialog? A dialog but smartcard doesn't
> work? ?

In version 1.5.5 I see a "OpenSSL Application SSL Client Certificate" dialog that prompts a user to select a certificate to use from their CAC/smart card and enter a pin number, which is what I want. In every version other than version 1.5.5 I just get a "Open client certificate file" dialog that prompts a user to select a certificate file from the hard drive.

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=1754196

Stefan Küng

unread,
Apr 16, 2009, 4:21:42 PM4/16/09
to us...@tortoisesvn.tigris.org
web...@tigris.org wrote:
>> I'm referring to the behavior you see. In 1.5.5, I guess you'll get
>> a dialog? What happens in 1.6? No dialog? A dialog but smartcard
>> doesn't work? ?
>
> In version 1.5.5 I see a "OpenSSL Application SSL Client Certificate"
> dialog that prompts a user to select a certificate to use from their
> CAC/smart card and enter a pin number, which is what I want. In
> every version other than version 1.5.5 I just get a "Open client
> certificate file" dialog that prompts a user to select a certificate
> file from the hard drive.

maybe you can compare the openssl versions (e.g. with winmerge) and
check what's changed.

Stefan

--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=1754242

signature.asc

web...@tigris.org

unread,
May 4, 2009, 9:05:45 AM5/4/09
to us...@tortoisesvn.tigris.org, Lucas Johnson
Has anyone gotten this working? I work for a DoD agency that uses CACs and we really need to get this to function correctly.

Stefan,
Maybe I'm misunderstanding you, but something definitely was changed. 1.5.5 will allow you to select certificates from a smart card (though as you say it does ask again on every connect) while newer versions only allow you to select file based certificates.

It appears to have been changed as a result of this thread:
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=92849

and a little more info:
http://groups.google.com/group/tortoisesvn/browse_thread/thread/18d88aa34c7c944e

I'd greatly appreciate any help.

Thanks,
Patrick

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2056291

Lucas Johnson

unread,
May 4, 2009, 10:42:50 AM5/4/09
to us...@tortoisesvn.tigris.org
Patrick,

I have compiled newer versions of TortoiseSVN with CAC authentication
following the steps in the build.txt file, but you have to take some
files from TortoiseSVN 1.5.5. Also, you can only use OpenSSL 0.9.8i,
not a newer version. I copied OpenSSL.build, VC-32.pl, and ossl_typ.h
from 1.5.5 to 1.6.1 in their appropriate locations, then everything
compiles fine using nant release setup.

The change seems to be in OpenSSL for using capi, but I'm not sure if
modifications need to be made to TortoiseSVN or OpenSSL so that newer
versions of OpenSSL can be used with TortoiseSVN with CAC
authentication.

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2057138

Stefan Küng

unread,
May 4, 2009, 12:31:27 PM5/4/09
to us...@tortoisesvn.tigris.org
Lucas Johnson wrote:
> Patrick,
>
> I have compiled newer versions of TortoiseSVN with CAC authentication
> following the steps in the build.txt file, but you have to take some
> files from TortoiseSVN 1.5.5. Also, you can only use OpenSSL 0.9.8i,
> not a newer version. I copied OpenSSL.build, VC-32.pl, and ossl_typ.h
> from 1.5.5 to 1.6.1 in their appropriate locations, then everything
> compiles fine using nant release setup.
>
> The change seems to be in OpenSSL for using capi, but I'm not sure if
> modifications need to be made to TortoiseSVN or OpenSSL so that newer
> versions of OpenSSL can be used with TortoiseSVN with CAC
> authentication.

Comparing OpenSSL 0.9.8k with 0.9.8k reveals that capieng has to be
enabled now with
experimental-capieng
instead of
enable-capieng

this change was made because capieng is still considered experimental
and should therefore not be as easily enabled as other options.

So, change the OpenSSL.build file and replace the lines
<arg value="enable-capieng" />
with
<arg value="experimental-capieng" />

Stefan

--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2057870

signature.asc

web...@tigris.org

unread,
May 4, 2009, 1:28:46 PM5/4/09
to us...@tortoisesvn.tigris.org
Thank you both very much for your quick replies. This definitely helps as it will allow us to at least function with CAC support for the latest version. However, I'm assuming that this still functions as it did in 1.5.5, with a prompt for each action (and multiple times when brining up the repository browser). Is there any way to make it default to a particular certificate?

Also, do you have any pointers for the Apache configuration? We thought we had it figured out but something is wrong. When we access the repository through a web browser, we are prompted for a CAC and can access the site. However, pointing TortoiseSVN to the same URL results in a prompt for a file based certificate, even with version 1.5.5.

Thanks,
Patrick

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2058301

Stefan Küng

unread,
May 4, 2009, 1:37:04 PM5/4/09
to us...@tortoisesvn.tigris.org
web...@tigris.org wrote:
> Thank you both very much for your quick replies. This definitely
> helps as it will allow us to at least function with CAC support for
> the latest version. However, I'm assuming that this still functions
> as it did in 1.5.5, with a prompt for each action (and multiple times
> when brining up the repository browser). Is there any way to make it
> default to a particular certificate?

No, that's the reason why I disabled it again in TSVN.
To get such a feature (e.g., using a default certificate or even save a
specific certificate like the "save authentication" does for 'normal'
authentication) it has to be implemented in the Subversion library and
serf/neon.

btw: if you guys keep compiling TSVN yourself to get capieng compiled
in, but don't send mails to the Subversion list asking for this feature,
it will never get implemented. Seriously, send mails there and request
that feature!

> Also, do you have any pointers for the Apache configuration? We
> thought we had it figured out but something is wrong. When we access
> the repository through a web browser, we are prompted for a CAC and
> can access the site. However, pointing TortoiseSVN to the same URL
> results in a prompt for a file based certificate, even with version
> 1.5.5.

Did you specify
<arg value="-DOPENSSL_CAPIENG_DIALOG" />
in the OpenSSL.build file?

Stefan

--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2058351

signature.asc

web...@tigris.org

unread,
May 4, 2009, 2:02:24 PM5/4/09
to us...@tortoisesvn.tigris.org
> No, that's the reason why I disabled it again in TSVN.
> To get such a feature (e.g., using a default certificate or even save a
> specific certificate like the "save authentication" does for 'normal'
> authentication) it has to be implemented in the Subversion library and
> serf/neon.

That is what I thought. Thanks for confirming that.

> btw: if you guys keep compiling TSVN yourself to get capieng compiled
> in, but don't send mails to the Subversion list asking for this feature,
> it will never get implemented. Seriously, send mails there and request
> that feature!

Sorry, I was told to investigate the possibility of using smart card
certificates in place of username/password and haven't actually made
it to the point of compiling it myself; I just wanted to see if it was
an option if we are told that we must make that switch immediately.
I will be sure to submit the feature request; do I just send it to
the Subversion dev mailing list (sorry, I'm pretty new to all this).

> Did you specify
> <arg value="-DOPENSSL_CAPIENG_DIALOG" />
> in the OpenSSL.build file?

Actually, I was connecting with the 1.5.5 release, not building my own.
There is something about our Apache configuration that isn't
quite right, but I'm not sure what it is.

Thanks again for the help,
Patrick

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2058592

web...@tigris.org

unread,
May 20, 2009, 4:09:16 PM5/20/09
to us...@tortoisesvn.tigris.org
We also need this capability to be enabled as a run time option, at least as it worked in 1.5.5, even though it was a little bit irritating sometimes, but it sure is not clear as to which list we are supposed to post to get a discussion of implementing this capability into the queue for enhancement requests.

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2335454

ronnie_and_sandy

unread,
Jun 6, 2011, 1:43:59 PM6/6/11
to us...@tortoisesvn.tigris.org
I realize this thread has been dormant for 2 years, but I am trying to get my
svn client to retrieve my CAC creds instead of asking me for a file
location. Is the solution suggested above and inserted here, below, still
the best option? I am using 64-bit tortoise on a Windows 7 box. Perhaps I
should revert to an older than 1.6 version of tortoise, or perhaps a 32-bit
version? Thanks!

-------------------

So, change the OpenSSL.build file and replace the lines
<arg value="enable-capieng" />
with
<arg value="experimental-capieng" />

--
View this message in context: http://old.nabble.com/Compiling-with-capieng-enabled-for-smart-card-authentication-tp23039249p31785575.html
Sent from the tortoisesvn - users mailing list archive at Nabble.com.

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759107

Stefan Küng

unread,
Jun 6, 2011, 2:24:00 PM6/6/11
to us...@tortoisesvn.tigris.org
On 06.06.2011 19:43, ronnie_and_sandy wrote:
> I realize this thread has been dormant for 2 years, but I am trying to get my
> svn client to retrieve my CAC creds instead of asking me for a file
> location. Is the solution suggested above and inserted here, below, still
> the best option? I am using 64-bit tortoise on a Windows 7 box. Perhaps I
> should revert to an older than 1.6 version of tortoise, or perhaps a 32-bit
> version? Thanks!

The nightly builds are already compiling with capieng enabled.
If you like, you could try one of those.

And if you do, would you be willing to help me test some changes I like
to implement? You'd have to have two matching certificates in your cert
store so you get a dialog from OpenSSL to choose one of those certificates.

Stefan

--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759114

ronnie_and_sandy

unread,
Jun 6, 2011, 3:43:34 PM6/6/11
to us...@tortoisesvn.tigris.org
Thanks, Stefan!

Took today's build and was being prompted for the CAC pin properly (several
times, as indicated above).

Will be glad to help with the tests. I assume you have a URL you'd like me
to hit, along w/ the certs? Instructions on using the certs would be
helpful. If they can be saved to a file, that will be easy for me. If they
need to be put in the java cert store or such, I'm less familiar w/ that
process, though I've done it.


Stefan Küng wrote:
>
> The nightly builds are already compiling with capieng enabled.
> If you like, you could try one of those.
>
> And if you do, would you be willing to help me test some changes I like
> to implement? You'd have to have two matching certificates in your cert
> store so you get a dialog from OpenSSL to choose one of those
> certificates.
>
> Stefan
>

--
View this message in context: http://old.nabble.com/Compiling-with-capieng-enabled-for-smart-card-authentication-tp23039249p31786474.html


Sent from the tortoisesvn - users mailing list archive at Nabble.com.

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759119

Stefan Küng

unread,
Jun 6, 2011, 4:40:21 PM6/6/11
to us...@tortoisesvn.tigris.org
On 06.06.2011 21:43, ronnie_and_sandy wrote:
> Thanks, Stefan!
>
> Took today's build and was being prompted for the CAC pin properly (several
> times, as indicated above).

You're only asked for the pin and not to select a specific certificate?
That means you only have one certificate that matches. Unfortunately
that's not what I'm trying to test.
Maybe you can add another certificate that matches but isn't valid, e.g.
an expired one?

> Will be glad to help with the tests. I assume you have a URL you'd like me
> to hit, along w/ the certs? Instructions on using the certs would be
> helpful. If they can be saved to a file, that will be easy for me. If they
> need to be put in the java cert store or such, I'm less familiar w/ that
> process, though I've done it.

I'm not quite ready yet with my test build. Still trying to figure some
things out. But I'll be ready soon. I'll post a link to the test version
as soon as I'm ready.

Stefan

--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759131

ronnie_and_sandy

unread,
Jun 6, 2011, 4:51:40 PM6/6/11
to us...@tortoisesvn.tigris.org
Well, the CAC has an e-mail cert and an identity cert. Is that good enough
for your test?


Stefan Küng wrote:
>
> You're only asked for the pin and not to select a specific certificate?
> That means you only have one certificate that matches. Unfortunately
> that's not what I'm trying to test.
> Maybe you can add another certificate that matches but isn't valid, e.g.
> an expired one?
>
>> Will be glad to help with the tests. I assume you have a URL you'd like
>> me
>> to hit, along w/ the certs? Instructions on using the certs would be
>> helpful. If they can be saved to a file, that will be easy for me. If
>> they
>> need to be put in the java cert store or such, I'm less familiar w/ that
>> process, though I've done it.
>
> I'm not quite ready yet with my test build. Still trying to figure some
> things out. But I'll be ready soon. I'll post a link to the test version
> as soon as I'm ready.
>
> Stefan
>

--
View this message in context: http://old.nabble.com/Compiling-with-capieng-enabled-for-smart-card-authentication-tp23039249p31787022.html


Sent from the tortoisesvn - users mailing list archive at Nabble.com.

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759132

Stefan Küng

unread,
Jun 7, 2011, 2:25:05 AM6/7/11
to us...@tortoisesvn.tigris.org
On 06.06.2011 22:51, ronnie_and_sandy wrote:
> Well, the CAC has an e-mail cert and an identity cert. Is that good enough
> for your test?

Unfortunately not, it requires two identity certs since email certs
aren't considered for the authentication with the svn repo. So all
that's left is one cert and if there's only one, you don't get a dialog
asking you to choose which cert to use - since there's only one, that
cert is used without asking you first.

But I had another idea which wouldn't require two matching certs in the
store. I'll have a test msi ready soon...

Stefan

--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759445

Stefan Küng

unread,
Jun 7, 2011, 3:19:58 AM6/7/11
to us...@tortoisesvn.tigris.org
On Tue, Jun 7, 2011 at 08:25, Stefan Küng <torto...@gmail.com> wrote:
> On 06.06.2011 22:51, ronnie_and_sandy wrote:
>>
>> Well, the CAC has an e-mail cert and an identity cert. Is that good enough
>> for your test?
>
> Unfortunately not, it requires two identity certs since email certs aren't
> considered for the authentication with the svn repo. So all that's left is
> one cert and if there's only one, you don't get a dialog asking you to
> choose which cert to use - since there's only one, that cert is used without
> asking you first.
>
> But I had another idea which wouldn't require two matching certs in the
> store. I'll have a test msi ready soon...

Please install the test version from here:
http://nightlybuilds.tortoisesvn.net/latest/

either in the win32 or x64 folder (not in the full/small folders).

You should still be able to get access to the repository if your
certificate is valid. Only expired certs are now discarded
automatically.

Stefan

--
       ___
  oo  // \\      "De Chelonian Mobile"
 (_,\/ \_/ \     TortoiseSVN
   \ \_/_\_/>    The coolest Interface to (Sub)Version Control
   /_/   \_\     http://tortoisesvn.net

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759465

ronnie_and_sandy

unread,
Jun 7, 2011, 11:03:15 AM6/7/11
to us...@tortoisesvn.tigris.org
Install and test went nicely. Didn't even have to reboot :).

BTW, I did get prompted to choose b/w the e-mail and ID cert.

Thanks for the upgrade! Glad to see this functionality is on your radar.
Will be looking for it in the next official release(?)

-Ronnie

p.s. No expired certs on my card, so that functionality remains untested


Stefan Küng wrote:
>
> On Tue, Jun 7, 2011 at 08:25, Stefan Küng <torto...@gmail.com> wrote:
>> On 06.06.2011 22:51, ronnie_and_sandy wrote:
>>>
>>> Well, the CAC has an e-mail cert and an identity cert. Is that good
>>> enough
>>> for your test?
>>
>> Unfortunately not, it requires two identity certs since email certs
>> aren't
>> considered for the authentication with the svn repo. So all that's left
>> is
>> one cert and if there's only one, you don't get a dialog asking you to
>> choose which cert to use - since there's only one, that cert is used
>> without
>> asking you first.
>>
>> But I had another idea which wouldn't require two matching certs in the
>> store. I'll have a test msi ready soon...
>
> Please install the test version from here:
> http://nightlybuilds.tortoisesvn.net/latest/
>
> either in the win32 or x64 folder (not in the full/small folders).
>
> You should still be able to get access to the repository if your
> certificate is valid. Only expired certs are now discarded
> automatically.
>
> Stefan
>

:-D:-D:-D:-D:-D:-D:-D
--
View this message in context: http://old.nabble.com/Compiling-with-capieng-enabled-for-smart-card-authentication-tp23039249p31792101.html


Sent from the tortoisesvn - users mailing list archive at Nabble.com.

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759607

Stefan Küng

unread,
Jun 7, 2011, 11:35:45 AM6/7/11
to us...@tortoisesvn.tigris.org
On 07.06.2011 17:03, ronnie_and_sandy wrote:
> Install and test went nicely. Didn't even have to reboot :).
>

Thanks for testing!

> BTW, I did get prompted to choose b/w the e-mail and ID cert.

Now that's the exact situation I want to test :)
You see, getting prompted to select a certificate can get annoying
really fast.
So I have to find a way to store the selection so you won't get prompted
anymore for every single connection TSVN has to make to the repository.

Question: if you chose the wrong certificate, do you get an error from
TSVN or do you then get prompted again for a certificate?

Stefan

--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759610

ronnie_and_sandy

unread,
Jun 7, 2011, 12:14:16 PM6/7/11
to us...@tortoisesvn.tigris.org
Stefan Küng wrote:
>
> Now that's the exact situation I want to test :)
> You see, getting prompted to select a certificate can get annoying
> really fast.
>

Yup. I've gotta baby-sit the commit until it is over.


Stefan Küng wrote:
>
> So I have to find a way to store the selection so you won't get prompted
> anymore for every single connection TSVN has to make to the repository.
>
> Question: if you chose the wrong certificate, do you get an error from
> TSVN or do you then get prompted again for a certificate?
>

Both. I got prompted, chose the wrong cert again, and got an error. The
commit failed so all sends were rolled back.


Stefan Küng wrote:
>
> Stefan
>

--
View this message in context: http://old.nabble.com/Compiling-with-capieng-enabled-for-smart-card-authentication-tp23039249p31793382.html


Sent from the tortoisesvn - users mailing list archive at Nabble.com.

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759613

Stefan Küng

unread,
Jun 7, 2011, 3:14:38 PM6/7/11
to us...@tortoisesvn.tigris.org
On Tue, Jun 7, 2011 at 18:14, ronnie_and_sandy
<ronnie_a...@nerdshack.com> wrote:
> Stefan Küng wrote:
>>
>> Now that's the exact situation I want to test :)
>> You see, getting prompted to select a certificate can get annoying
>> really fast.
>>
>
> Yup. I've gotta baby-sit the commit until it is over.
>
>
> Stefan Küng wrote:
>>
>> So I have to find a way to store the selection so you won't get prompted
>> anymore for every single connection TSVN has to make to the repository.
>>
>> Question: if you chose the wrong certificate, do you get an error from
>> TSVN or do you then get prompted again for a certificate?
>>
>
> Both. I got prompted, chose the wrong cert again, and got an error. The
> commit failed so all sends were rolled back.

I've uploaded another test version.
This time I disabled the capi engine in OpenSSL. Instead I'm trying to
get the certs from the cert store from the svn lib callback myself and
then return that cert back to the svn lib. If this works, I can add an
option to store the selected cert so the user doesn't have to choose
for every connection.

Stefan

--
       ___
  oo  // \\      "De Chelonian Mobile"
 (_,\/ \_/ \     TortoiseSVN
   \ \_/_\_/>    The coolest Interface to (Sub)Version Control
   /_/   \_\     http://tortoisesvn.net

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2759643

Stefan Küng

unread,
Jun 8, 2011, 3:41:45 PM6/8/11
to us...@tortoisesvn.tigris.org, ronnie_a...@nerdshack.com
On Tue, Jun 7, 2011 at 21:14, Stefan Küng <torto...@gmail.com> wrote:
> On Tue, Jun 7, 2011 at 18:14, ronnie_and_sandy
> <ronnie_a...@nerdshack.com> wrote:
>> Stefan Küng wrote:
>>>
>>> Now that's the exact situation I want to test :)
>>> You see, getting prompted to select a certificate can get annoying
>>> really fast.
>>>
>>
>> Yup. I've gotta baby-sit the commit until it is over.
>>
>>
>> Stefan Küng wrote:
>>>
>>> So I have to find a way to store the selection so you won't get prompted
>>> anymore for every single connection TSVN has to make to the repository.
>>>
>>> Question: if you chose the wrong certificate, do you get an error from
>>> TSVN or do you then get prompted again for a certificate?
>>>
>>
>> Both. I got prompted, chose the wrong cert again, and got an error. The
>> commit failed so all sends were rolled back.
>
> I've uploaded another test version.
> This time I disabled the capi engine in OpenSSL. Instead I'm trying to
> get the certs from the cert store from the svn lib callback myself and
> then return that cert back to the svn lib. If this works, I can add an
> option to store the selected cert so the user doesn't have to choose
> for every connection.
>

did you have a chance to test this new version?
Because if this would work, I'll have a lot of work to do to make it
work perfectly.

Stefan

--
       ___
  oo  // \\      "De Chelonian Mobile"
 (_,\/ \_/ \     TortoiseSVN
   \ \_/_\_/>    The coolest Interface to (Sub)Version Control
   /_/   \_\     http://tortoisesvn.net

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2760531

Stefan Küng

unread,
Jun 10, 2011, 4:30:17 AM6/10/11
to us...@tortoisesvn.tigris.org
The next nightly build should work much better.
If there's only one certificate that matches the request in the
certificate store, the situation is like it was before: the
authentication is handled automatically in the background and you're
never even bothered with it.

If there is more than one certificate that matches the request in the
certificate store, TSVN (not OpenSSL like before) shows the cert
selection dialog, and stores the selected certificate (only the index
of the certificate in the store, not the certificate itself) so
further auth requests can be handled automatically. So you should only
get asked once for the certificate.

Stefan

--
       ___
  oo  // \\      "De Chelonian Mobile"
 (_,\/ \_/ \     TortoiseSVN
   \ \_/_\_/>    The coolest Interface to (Sub)Version Control
   /_/   \_\     http://tortoisesvn.net

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2761984

Reply all
Reply to author
Forward
0 new messages