Nils-Johan Andreasson wrote on Thu, May 06, 2021 at 13:03:28 +0200: > Thanks Stefan for your response and pointers! > > There is no doubt my connections are already encrypted. > The issue is that the external library I'm referring to supports specifying > paths to source code using multiple protocols, e.g. svn:// (but also > https://, http://, git://, ftp:// etc) and any svn:// source is generally > considered insecure, just like http:// (but not for example https://). It > is not verified in any way if that's actually the case, it's just based on > the scheme prefix svn:// > > Using something like that I can hopefully convince the library maintainer > to enable this flag by default and then consider an svn:// source secure by > default (as connection would otherwise not succeed).
You could also point out to the library author that treating svn://foo/ as insecure would be wrong when foo is an IP address on a VPN, or a loopback address, or an address of a virtualized box running on the same hardware, and so on, even if no encryption is used at all. Cheers, Daniel > I understand your point with that as long as "use-sasl = true" is > configured on the server, the connection would abort if the client cannot > communicate securely. However, this means that if this external library is > pointed to a svn:// source with "use-sasl = false" the connection would > succeed, which is what I'm trying to prevent here to guarantee no > unencrypted connections are made. > > Hope my point came through better this time? > > Best regards, > > Nils-Johan > > > On Thu, May 6, 2021 at 11:40 AM Stefan Sperling <s...@elego.de> wrote: > > > On Thu, May 06, 2021 at 11:21:57AM +0200, Nils-Johan Andreasson wrote: > > > Hi there! > > > > > > I'm serving a repository using svnserve with SASL to make sure > > > communication is always encrypted (config has use-sasl = true, > > > min-encryption = 128 and max-encryption = 256). > > > I know this enforces encryption server-side but is there any way to in > > > addition also "require" encryption client-side? E.g. let's say if I do > > 'svn > > > checkout svn://my-insecure-host/repository' I want the command to abort > > if > > > the connection is not encrypted. > > > > The min-encryption paramter maps directly to the Cyrus SASL > > secprops.min_ssf > > paramter which is described here: > > > > https://www.cyrusimap.org/sasl/sasl/developer/programming.html#security-layers > > > > Quote: > > "A connection supplying only integrity with no privacy would have an SSF > > of 1. > > A connection secured by 56-bit DES would have an SSF of 56. > > To require a security layer, set min_ssf to the minimum acceptable security > > layer strength." > > > > SVN servers and clients check the SASL_SSF property of their connection > > here > > and abort if SASL failed to negotiate encryption if encryption is > > configured: > > > > https://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_ra_svn/cyrus_auth.c?revision=1875971&view=markup#l726 > > > > So your connections should already be encrypted. Perhaps the encryption > > mechanism SASL is using is considered too weak by your external tool? > > Would setting min-encryption = 256 help? > > Or perhaps your external tool simply doesn't understand the SVN protocol? > > > > Cheers, > > Stefan > >
