[Bug 932393] New: Zypper doesn't support client certificate authentication
http://bugzilla.opensuse.org/show_bug.cgi?id=932393 Bug ID: 932393 Summary: Zypper doesn't support client certificate authentication Classification: openSUSE Product: openSUSE 12.3 Version: Final Hardware: All OS: openSUSE 13.2 Status: NEW Severity: Normal Priority: P5 - None Component: libzypp Assignee: zypp-maintainers@forge.provo.novell.com Reporter: eimacdude@aol.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Private repositories have important use cases, and that makes authentication of the package manager to the repository a concern. Unfortunately, zypper only seems to support basic authentication. However, basic authentication even over TLS doesn't provide good security. The large attack window caused by sending the password with every request is just one of numerous issues ([1], [2], and many others). Client certificate authentication is not subject to these issues and is a commonly implemented method, including in tools like git and mercurial, and zypper's "competitor" yum. Indeed, I was surprised after using yum with sslclientcert= and sslclientkey= that the same option was not available in zypper, which I've always thought of as the more advanced system, with its fancier dependencies solver and such. I think from a security viewpoint the lack of support for client certificates is a significant deficiency, and I'm thus submitting this as a bug rather than a feature (as a motivating precedent, when I submitted a client-certificate related issue with mercurial's bug tracker, it was accepted as a bug). References: [1] http://security.stackexchange.com/questions/988/is-basic-auth-secure-if-done... [2] http://adrianotto.com/2013/02/why-http-basic-auth-is-bad/ -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=932393
Dank Maymays
http://bugzilla.opensuse.org/show_bug.cgi?id=932393
Michael Andres
* - ssl_clientcert * Absolute path to a ssl client certificate for authentication to a repo * passed to CURLOPT_SSLCERT
Does a repository baseurl like this work for you?
baseurl=https://server/path?ssl_clientcert=/absolute/path/tothe/cetrificate.pem
An option however to set CURLOPT_SSLKEY is missing, also the above sslclient* options in the .repo file. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=932393
--- Comment #2 from Dank Maymays
http://bugzilla.opensuse.org/show_bug.cgi?id=932393
--- Comment #3 from Michael Andres
http://bugzilla.opensuse.org/show_bug.cgi?id=932393
Michael Andres
http://bugzilla.opensuse.org/show_bug.cgi?id=932393
--- Comment #5 from Dank Maymays
participants (1)
-
bugzilla_noreply@novell.com