[cvsnt] sserver with self-signed certificates

Tony Hoyle tony.hoyle at march-hare.com
Tue Mar 14 00:28:51 GMT 2006


Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


Charles Oram wrote:
> So if I install the user's self-signed certificate on the server, isn't 
> that just giving the server the user's public key so that the server can 
> authenticate the user? OK, I don't have the full chain of trust that you 
> have with signed certificates, but you need more than a username and 
> password to login to CVS then.

That's not how SSL works - you create a local CA, then issue 
certificates from that CA to your clients.  The server then knows it can 
trust the certificate as it was issued from its own (trusted) CA.  You'd 
have to issue the ca.pem for your local CA of course...

This not only allows you to control which clients can connect, but you 
can control things like the expiration date and revoke old clients easily.

I know of no implementations that work as you suggest - the whole point 
of signing is you don't need huge databases of valid clients.. you'd end 
  up with login time sucking as it'd have to compare every public key it 
knew about with the supplied one (that's even if it's possible to 
implement such a scheme in SSL.. you might not be able to get the 
presented keys & convert them into a useful format anyway).

Tony



More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook