This describes a setup in progress. Not everything here works already. See CodingProjects for relevant modules and projects as well as accessing our trac setup.
Developer Access
The server certificate is signed by SPI. Its a chained setup, the final cert for svn has a fingerprint of A9:70:E9:A0:80:7A:A5:2E:68:38:8F:E1:9B:22:88:21:B4:3D:88:EE (SHA1) or BE:C9:3D:A9:14:67:D2:8C:25:B8:10:BC:13:B0:69:F7 (MD5).
You need a client certificate to access svn.oftc.net using SSL.
Client Certificates
If you do not already have an OFTC client certificate and are one of the developers here's how to get one:
Create a new key, and a certificate signing request. Leave all the fields empty (Giving "." if the default would be non-empty) except for CN (aka YOUR name) in which you - surprisingly enough - enter your full name, and E-Mail in which your @oftc.net email address is expected.
openssl req -new -newkey rsa:2048 -keyout $USER-oftc.key -out $USER-oftc.csr
- Send the .csr file to weasel in PGP-signed email. Keep the .key file secret.
Once you get the .pem file from weasel you need to create a pkcs12 file for the subversion client. Mozilla and friends can use that too. You need the CA's certificate (CA-chain.pem) to create this file.
openssl pkcs12 -export -in $USER-oftc.pem -inkey $USER-oftc.key -certfile CA-chain.pem -out $USER-oftc.p12
Place the client certificate in a convenient place. Weasel likes ~/.subversion for it. Subversion will ask you every time which cert to use, and what its encryption key is. You can teach svn the values to use in its servers config file. .subversion/servers:
[groups] oftc = svn.oftc.net [oftc] ssl-client-cert-file = /home/weasel/weasel-oftc.p12 ssl-client-cert-password = geheim ssl-authority-files = /home/weasel/CA-chain.pem
Make sure the permissions of the .key, the .p12, and the servers file don't allow unprivileged reading.
For your reference, this is CA-chain.pem's sha1sum:
$ sha1sum CA-chain.pem d17f77f4a5e1c8455997a9b3a313539bc9037827 CA-chain.pem