Nico Kadel-Garcia wrote on Mon, Dec 21, 2015 at 19:07:18 -0500:
> On Mon, Dec 21, 2015 at 2:21 PM, David Brodbeck <bro...@uw.edu> wrote:
> >
> >
> > On Sat, Dec 19, 2015 at 2:43 AM, Daniel Shahaf <d...@daniel.shahaf.name>
> > wrote:
> >>
> >> Or perhaps stunnel, which has its pros and cons (e.g., an SSL
> >> vulnerability won't compromise the svn process).
> >
> >
> > I thought about suggesting that, too, but I'm not sure it's workable. While
> > it'd be easy to set up on the server side, it would be very clumsy on the
> > client side, since the client isn't going to understand svn-over-TLS without
> > its own stunnel instance.
>
> Sure it can. This is similar to how svn+ssh works. For stunnel, you'd
> set up a port tunnel from a port on your localhost.
Or you could use a stdio tunnel:
svn info svn+ssl://host/foo/bar
--config-option=config:tunnels:ssl='$SVN_SSL /path/to/script'
with /path/to/script being
#!/bin/sh
socat STDIO OPENSSL:$1:3691
($1 is the remote hostname)
