SVN authentication with client SSL X.509 certificates and apache 2.2

We recently moved our subversion repository to a new, now dedicated server. In that course I found it reasonable to streamline our old configuration how authentication and authorization against the repository is done.

Previously, our users were primarily authorized to access the repository using their X.509 certificates. After authorization took place, they were authenticated and thus being asked for their usernames and passwords.

The goal now was to get rid of the second step, allowing authentication and authorization based purely on the certificates.

To be true, the solution was not so easy to find, because apache’s mod_ssl module is not really designed for authentication purposes. It has a pretty useless “FakeBasicAuth” option requiring to manually store each user in a htpasswd style file, containing the hardcoded ‘password’ string as each users password. Pretty ugly, IMHO.

However, I finally managed to get to a resonable result.

Before doing anything else, ensure that you have mod_ssl and mod_dav_svn up and running. I won’t go deeper into those basics.

After the modules are ready, put the following in your apache’s config for the relevant (virtual)host:

<Location /theLocationOfYourRepository>
  SSLVerifyClient require

  SSLOptions +StdEnvVars

  DAV svn
  SVNPath /the/absolute/filesystem/path/of/your/repository
  SVNListParentPath on
  AuthzSVNAccessFile /etc/subversion/apache-acl-file

In my case, the emailAdress attribute of the certificate’s subject DN is used to make up the username (“SSLUserName SSL_CLIENT_S_DN_Email”), useable in the AuthzSVNAccessFile, for example:

[/project1] = rw = r

[/project2] = rw

# locking out everybody else
* =

Instead of the emailAddress attribute, you can choose from a number of alternatives, see here [1] and here [2].

For now, I am quite satisfied how it works.

The only thing to be done in the future will be to map those email addresses against LDAP entries and have the usernames retrieved from the DIT based on the matches. And eventually I want the AuthzSVNAccessFile also being served from our LDAP server, of course. But that will probably be a hard fight.


Spread the love

Leave a Reply

4 Comment threads
3 Thread replies
Most reacted comment
Hottest comment thread
1 Comment authors
stefanoUdo RaderAnonymous Recent comment authors
newest oldest most voted
Notify of

Excellent! Thank you. This is exactly the piece I was missing.


Have been struggling with SVN and Apache today, the only thing that didn’t work was the SSL authentication, This info was exactly what i needed, thanx!


It’s 2011 now, yet this thing is still hard to find because the top hits in google are all related to the use of fakebasicauth which didn’t work.

I actually found this link when I’ve finally figure out how to do it myself, and wanted to post it somewhere ;).

FWIW, I found this only after including x509 and AuthzSVNAccessFile in the query.


Hi Udo,
I’ve found your post fighting against svn and x509 auth/authz. No problem with authentication but authorization still doesn’t work. I’ve tried with something like (in /etc/httpd/conf.d/subversion.conf):

LoadModule authz_svn_module modules/

SSLOptions +StdEnvVars

SSLUserName SSL_CLIENT_S_DN_L (let’s call it MY_L_FIELD)

and then in the /etc/subversion/file_for_authz

NO_GOOD = rw (just to test it)


it doesn’t work; I see from the log that there is the all DN and from SVN ML I found only old threads being unable to understand if the “bug” has been solved.

btw: I’m on Centos 6.3; Apache/2.2.15; subversion-1.6.11-7

thank you very much, cheers

Udo Rader

What does the apache log exactly say? For debugging purposes I’ve added this line to my apache config inside the VirtualHost directive for the SVN host. CustomLog /var/log/apache2/ssl_morpheus_interal.log “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%{SSL_CLIENT_S_DN_OU}x” “%{SSL_CLIENT_S_DN_O}x” “%{SSL_CLIENT_S_DN_Email}x” “%r” %b” You might probably want to add %{SSL_CLIENT_S_DN_L} to the list of logged variables. This should give you a log line like this one: [18/Jul/2012:12:28:47 +0200] SSLv3 DHE-RSA-AES128-SHA “SVN internal” “ EDV Systemhaus GmbH” “” “CHECKOUT /repos/!svn/ver/39221/fooproject/trunk/at.bestsolution.foobar.resoure/src/ HTTP/1.1” 340 This allows you to understand better what exactly subversion sees when it comes to authorization. And another thing: You are using the [repo:/direcotry] format… Read more »


Hi Udo, >What does the apache log exactly say? For debugging purposes I’ve added this line to my >apache config inside the VirtualHost directive for the SVN host. ok, I’ll try and let you know. >And another thing: You are using the [repo:/direcotry] format inside the >AuthzSVNAccessFile file. Do you really have more than one repository? If not, trying >with only [/directory] might be a good thing as well. yes; at the moment I’m only testing it but at the end there will be 65 repositories and hundreds of users. I’ve tried even with SVNPath instead of SVNParentPath changing the… Read more »


Hi again Udo and sorry;

it seems that SSL_CLIENT_S_DN_L is right; I’ve added the value of the variable to my log file (%{SSL_CLIENT_S_DN_L}): CustomLog logs/ssl_request_log
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CLIENT_S_DN_L}x “%r” %b”

and the output is right:
[19/Jul/2012:14:21:18 +0200] TLSv1 DHE-RSA-AES128-SHA MY_FIELD_L “PROPFIND /svn_repo/ I see the right value for MY_FIELD_L. Perhaps, as said before, I must be wrong when I try to map the variable inside the /etc/subversion/file_for_authz

thank you, cheers stefano

Post Navigation