At work I ran into a challenge recently. We have been using Subversion for quite a while already with good experiences. CruiseControl was our build environment, but is heavy on the xml configuration. Recentely we decided we should give Jenkins a shot for a small project I’m working on.

Our Subversion server is secured with both certificate authentication and username/password verification. Jenkins however, only supports one at a time.

In order to make Jenkins work with our SVN repository we have chosen to offload the certificate-based authentication using a third party tool. I’ve managed to do this with two tools: DeleGate and stunnel. I’ll describe them both.

 

PFX/P12 to PEM
Both tools require the client certificate to be in the PEM format, instead of the PFX/P12 format used by Microsoft. Download the openssl binaries for Windows and install them. Then run the following commands to generate seperate .pem files:

 

openssl pkcs12 -in mycertificate.p12 -clcerts -nokeys -out cert.pem
openssl pkcs12 -in mycertificate.p12 -nocerts -nodes -out key.pem

Alternatively, download create_pem.zip, extract it and run create_pem.bat and follow the instructions.

DeleGate
DeleGate is a tool that can proxy a lot of protocols, both secure and non-secure, and act as a proxy itself as well. For our purpose it will accept non-ssl connections and forward these requests to a secure http server, authenticating to it using our client certificate.

Download DeleGate (link) and unpack it to a directory of your choice. Run the following command from the bin directory of DeleGate from an Administrator context. Replace “your.secure.server.nl” with your SVN server.

 

dg9_9_7.exe -P8070 FSV=”sslway -cert c:/cert/cert.pem -key c:/cert/key.pem” SERVER=tcprelay://your.secure.server.nl:443 ADMIN=admin

You will see the following:

Confirm that you want to start the service on system startup. Test the setup by pointing your browser to http://localhost:8070/ and possibly the rest of the url to trac/svn.

If there are any problems, try starting delegate with the “-v” parameter. It will start in the foreground and add verbose logging. Use “-vv” if youwish to have even more detailed logging.

Note that in the setup above, I am not using the recommended “SERVER=http” variant that is shown in many examples for the exact same situation. From my tests it seems there is a compatibility problem with the “http” protocol module and hte webserver serving trac (either that, or having trouble enabling client certification authentication). The difference between SERVER=http and SERVER=tcprelay is that the ‘http’ module is more intelligent, as it will rewrite the “Host” header correctly for the translated url. This may pose a problem if your SVN server is using vhosts. In our setup however, this is not used.

stunnel
As an alternative to DeleGate you can use stunnel. This application is also an SSL encryption wrapper between client and server. It can add a secure endpoint to an unsecure server and can provide a non-secure endpoint for secure servers. It works with multiple protocols such as POP, IMAP and HTTP.

Download stunnel (link) and install it. Once installed it will add a system tray icon and install itself as a system service. Rightclick the tray icon and edit the configuration. The relevant configuration is (replace your.secure.server.nl with your svn server):

 

; Global options 
;debug = 7 
;output = stunnel.log 
options = NO_SSLv2
; Service definitions 
[http] 
client = yes 
accept  = 127.0.0.1:8060 
connect = your.secure.server.nl:443 
cert = c:/cert/cert.pem 
key = c:/cert/key.pem

Save the file and rightclick the tray icon again and choose ‘reload configuration’. You should now be able to point your browser to http://localhost:8060/ and see the server content.

In case of any problems you can uncomment the ‘debug’ and ‘output’ lines in the configuration and debug the problem.

Advertisements