[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SSL server plus access control lists patch

From: minyard
Subject: SSL server plus access control lists patch
Date: 28 Jul 2001 21:52:35 -0500

I've been working to learn SSL, and I created a CVS pserver-like
access method that runs over SSL.  I called it sserver.  This avoids
sending plaintext passwords and data between the client and server,
and it allows (well, requires) the client to validate the server using
SSL keys.  I consider this patch somewhat experimental, so use it at
your own risk (like I have to say that about and free software), but
it's tons better than using pserver straight.  Also, OpenSSL is
perhaps the most poorly documented software I have ever used, so be
ready to have to work a little bit to use it.  Documentation on how to
use sserver (and a little bit of documention on OpenSSL) is included
in the the patch.  I would recommend buying a book on SSL and reading
it before depending on this for security (just like I would recommend
for using SSH).

It's on my web page ( and it includes
the access control list changes and changes that lets you have a
"prefix" on the repository.  The last change is nice, because it
reduces the size of the CVSROOT variable and it allows you to move the
repository on the server without affecting the client systems.  So,
for instance, if you have your repository in /home/cvs/root, you can
set the prefix to /home/cvs and the user needs only specify /root.
That way, you can move the repository to /exports/home/cvs/root, for
instance, and the clients will not have to change anything.

Also, I do have this compiled on Windows-NT, and I have put some of my
Visual C++ 6.0 project files on the web page.  I know very little
about Visual C++, so anyone with experience will probably get a good
laugh about what I've done, but it does work.  You will obviously have
to compile OpenSSL on Windows, too, to get this to work.  But the
standard way of compiling CVS on Windows won't work because it's
incompatable with the way OpenSSL is compiled.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]