On 4/9/14, 8:56 AM, msk...@ansuz.sooke.bc.ca wrote: > I'm not subscribed to the list and would appreciate a cc: on any replies. > > I run a Subversion server accessible through Apache HTTPS, and several > clients that connect to it, all under Linux, and I run my own CA > (certificate authority) to issue SSL certificates to all parties. When I > set it up, I made no provision for issuing and distributing CRLs > (certificate revocation lists), not expecting that to ever be a relevant > issue. My server was "heartbleed"-vulnerable and has now been patched for > that; but it appears that as a result of possible past compromise I have > to issue new certificates for all the parties and revoke the old ones. > > My main question is: how do I get the Subversion command-line client to > read a CRL? The ssl-authority-files configuration setting lets me specify > my CA's root certificate in a file; is there a similar setting for the > CRL? I would prefer to distribute the CRL as a file (instead of a URL to > be checked automatically); is that possible? Or is it absolutely > necessary to post the CRL online somewhere and specify its URL in the root > certificate (which will require constructing a new root certificate and a > bunch of scripts to periodically re-issue and re-post the file). If it's > going to necessitate changes to the root certificate and frequent ongoing > maintenance, I might be better off just re-doing the entire public key > infrastructure from scratch, annoying as that will be. > > Note I am specifically asking about the Subversion command-line client > running under Linux. I already know how to configure Apache to read the > CRL on the server side. All I've been able to find online regarding > *client-side* Subversion CRL use is Windows-specific.
The answer unfortunately is that currently we don't support CRLs. However, we may have a workaround. We're investigating currently and will follow up with more info soon.
