SVN authentication with client SSL X.509 certificates and apache 2.2

We recently moved our subversion repository to a new, now dedicated server. In that course I found it reasonable to streamline our old configuration how authentication and authorization against the repository is done.

Previously, our users were primarily authorized to access the repository using their X.509 certificates. After authorization took place, they were authenticated and thus being asked for their usernames and passwords.

The goal now was to get rid of the second step, allowing authentication and authorization based purely on the certificates.

To be true, the solution was not so easy to find, because apache’s mod_ssl module is not really designed for authentication purposes. It has a pretty useless “FakeBasicAuth” option requiring to manually store each user in a htpasswd style file, containing the hardcoded ‘password’ string as each users password. Pretty ugly, IMHO.

However, I finally managed to get to a resonable result.

Before doing anything else, ensure that you have mod_ssl and mod_dav_svn up and running. I won’t go deeper into those basics.

After the modules are ready, put the following in your apache’s config for the relevant (virtual)host:

<Location /theLocationOfYourRepository>
  SSLVerifyClient require
  SSLRequireSSL

  SSLOptions +StdEnvVars
  SSLUserName SSL_CLIENT_S_DN_Email

  DAV svn
  SVNPath /the/absolute/filesystem/path/of/your/repository
  SVNListParentPath on
  AuthzSVNAccessFile /etc/subversion/apache-acl-file
</Location>

In my case, the emailAdress attribute of the certificate’s subject DN is used to make up the username (“SSLUserName SSL_CLIENT_S_DN_Email”), useable in the AuthzSVNAccessFile, for example:

[/project1]
fred.flintstone@example.com = rw
wilma.flintstone@example.com = r

[/project2]
wilma.flintstone@example.com = rw

# locking out everybody else
[/]
* =

Instead of the emailAddress attribute, you can choose from a number of alternatives, see here [1] and here [2].

For now, I am quite satisfied how it works.

The only thing to be done in the future will be to map those email addresses against LDAP entries and have the usernames retrieved from the DIT based on the matches. And eventually I want the AuthzSVNAccessFile also being served from our LDAP server, of course. But that will probably be a hard fight.

[1] http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#envvars
[2] http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslrequire

Spread the love

Leave a Reply

7 Comments on "SVN authentication with client SSL X.509 certificates and apache 2.2"

avatar
  Subscribe  
newest oldest most voted
Notify of
Anonymous
Guest

Excellent! Thank you. This is exactly the piece I was missing.

Anonymous
Guest

Have been struggling with SVN and Apache today, the only thing that didn’t work was the SSL authentication, This info was exactly what i needed, thanx!

Anonymous
Guest

It’s 2011 now, yet this thing is still hard to find because the top hits in google are all related to the use of fakebasicauth which didn’t work.

I actually found this link when I’ve finally figure out how to do it myself, and wanted to post it somewhere ;).

FWIW, I found this only after including x509 and AuthzSVNAccessFile in the query.

stefano
Guest

Hi Udo,
I’ve found your post fighting against svn and x509 auth/authz. No problem with authentication but authorization still doesn’t work. I’ve tried with something like (in /etc/httpd/conf.d/subversion.conf):

LoadModule authz_svn_module modules/mod_authz_svn.so

SSLOptions +StdEnvVars

SSLUserName SSL_CLIENT_S_DN_L (let’s call it MY_L_FIELD)

and then in the /etc/subversion/file_for_authz

[repo1:/proj1]
NO_GOOD = rw (just to test it)

[repo2:/proj2]
MY_L_FIELD = rw

it doesn’t work; I see from the log that there is the all DN and from SVN ML I found only old threads being unable to understand if the “bug” has been solved.

btw: I’m on Centos 6.3; Apache/2.2.15; subversion-1.6.11-7

thank you very much, cheers
stefano

Udo Rader
Guest
What does the apache log exactly say? For debugging purposes I’ve added this line to my apache config inside the VirtualHost directive for the SVN host. CustomLog /var/log/apache2/ssl_morpheus_interal.log “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%{SSL_CLIENT_S_DN_OU}x” “%{SSL_CLIENT_S_DN_O}x” “%{SSL_CLIENT_S_DN_Email}x” “%r” %b” You might probably want to add %{SSL_CLIENT_S_DN_L} to the list of logged variables. This should give you a log line like this one: [18/Jul/2012:12:28:47 +0200] 10.20.10.141 SSLv3 DHE-RSA-AES128-SHA “SVN internal” “BestSolution.at EDV Systemhaus GmbH” “foobar@bestsolution.at” “CHECKOUT /repos/!svn/ver/39221/fooproject/trunk/at.bestsolution.foobar.resoure/src/FooHandler.java HTTP/1.1” 340 This allows you to understand better what exactly subversion sees when it comes to authorization. And another thing: You are using the [repo:/direcotry] format… Read more »
stefano
Guest
Hi Udo, >What does the apache log exactly say? For debugging purposes I’ve added this line to my >apache config inside the VirtualHost directive for the SVN host. ok, I’ll try and let you know. >And another thing: You are using the [repo:/direcotry] format inside the >AuthzSVNAccessFile file. Do you really have more than one repository? If not, trying >with only [/directory] might be a good thing as well. yes; at the moment I’m only testing it but at the end there will be 65 repositories and hundreds of users. I’ve tried even with SVNPath instead of SVNParentPath changing the… Read more »
stefano
Guest

Hi again Udo and sorry;

it seems that SSL_CLIENT_S_DN_L is right; I’ve added the value of the variable to my log file (%{SSL_CLIENT_S_DN_L}): CustomLog logs/ssl_request_log
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CLIENT_S_DN_L}x “%r” %b”

and the output is right:
[19/Jul/2012:14:21:18 +0200] xxx.xxx.xxx.xxx TLSv1 DHE-RSA-AES128-SHA MY_FIELD_L “PROPFIND /svn_repo/ I see the right value for MY_FIELD_L. Perhaps, as said before, I must be wrong when I try to map the variable inside the /etc/subversion/file_for_authz
file.

thank you, cheers stefano

Post Navigation