On Thu, May 06, 2021 at 11:21:57AM +0200, Nils-Johan Andreasson wrote: > Hi there! > > I'm serving a repository using svnserve with SASL to make sure > communication is always encrypted (config has use-sasl = true, > min-encryption = 128 and max-encryption = 256). > I know this enforces encryption server-side but is there any way to in > addition also "require" encryption client-side? E.g. let's say if I do 'svn > checkout svn://my-insecure-host/repository' I want the command to abort if > the connection is not encrypted.
The min-encryption paramter maps directly to the Cyrus SASL secprops.min_ssf paramter which is described here: https://www.cyrusimap.org/sasl/sasl/developer/programming.html#security-layers Quote: "A connection supplying only integrity with no privacy would have an SSF of 1. A connection secured by 56-bit DES would have an SSF of 56. To require a security layer, set min_ssf to the minimum acceptable security layer strength." SVN servers and clients check the SASL_SSF property of their connection here and abort if SASL failed to negotiate encryption if encryption is configured: https://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_ra_svn/cyrus_auth.c?revision=1875971&view=markup#l726 So your connections should already be encrypted. Perhaps the encryption mechanism SASL is using is considered too weak by your external tool? Would setting min-encryption = 256 help? Or perhaps your external tool simply doesn't understand the SVN protocol? Cheers, Stefan
