http://bugzilla.opensuse.org/show_bug.cgi?id=932393 Bug ID: 932393 Summary: Zypper doesn't support client certificate authentication Classification: openSUSE Product: openSUSE 12.3 Version: Final Hardware: All OS: openSUSE 13.2 Status: NEW Severity: Normal Priority: P5 - None Component: libzypp Assignee: zypp-maintainers@forge.provo.novell.com Reporter: eimacdude@aol.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Private repositories have important use cases, and that makes authentication of the package manager to the repository a concern. Unfortunately, zypper only seems to support basic authentication. However, basic authentication even over TLS doesn't provide good security. The large attack window caused by sending the password with every request is just one of numerous issues ([1], [2], and many others). Client certificate authentication is not subject to these issues and is a commonly implemented method, including in tools like git and mercurial, and zypper's "competitor" yum. Indeed, I was surprised after using yum with sslclientcert= and sslclientkey= that the same option was not available in zypper, which I've always thought of as the more advanced system, with its fancier dependencies solver and such. I think from a security viewpoint the lack of support for client certificates is a significant deficiency, and I'm thus submitting this as a bug rather than a feature (as a motivating precedent, when I submitted a client-certificate related issue with mercurial's bug tracker, it was accepted as a bug). References: [1] http://security.stackexchange.com/questions/988/is-basic-auth-secure-if-done... [2] http://adrianotto.com/2013/02/why-http-basic-auth-is-bad/ -- You are receiving this mail because: You are on the CC list for the bug.