Configure the SourceForge Enterprise Edition Download for SSL Secure Subversion access

The following instructions on how to change the SourceForge Enterprise Edition Download to support SSL connections to the Subversion repository are at your own risk and not supported by CollabNet.

If you are still eager to access your Subversion repositories via a secure connection on your SFEE Download machine: Read on!

Why do this?

As I wrote in my last post that concentrated on how to port Subversion 1.5-dev to SFEE, I love to work with SourceForge Enterprise Edition, which I use for my own projects. I like the fact that, with a single click, I can create a new Subversion repository to store code and documentation of my projects, and that the SFEE permission settings for every account are automatically applied to the Subversion server configuration, so I do not need to change config files on my own.

The free 15-user SourceForge Enterprise Edition Download does not come with preconfigured SSL support because CollabNet cannot export strong cryptography to every country. If you only host Open Source projects on SFEE and do not have to care about potential attacks that try to grab your Subversion and SFEE password, using SFEE and Subversion over the default HTTP-port is the most convenient and best performing option. However, if you like to access SFEE’s Subversion repositories over a secured connection, this blog post explains how to implement that. The procedure is really straight forward and can be applied in almost the same time you need to read this blog entry.

Backup everything

Before proceeding with the next step, you should backup everything that is worth saving. It is very unlikely that the following steps will affect any of your data but you should play on the safe side.

Yum is your friend (again)

As in my last blog post, yum is the key to success. This time, you do not have to modify any configuration file but simply type:

yum install mod_ssl

in a root console on your VM-ware image. Confirm all questions with “yes” (make sure that the country you are live in allows you to use strong cryptography).

Yum automatically generates the config files for apache that are needed to support SSL and generates a self-signed certificate for your domain. Self-signed certificates will not be immediately accepted by your browser, so if you have the possibility to sign your certificate with your own one, please tell me and I can help you to change the certificate for SFEE. If you do not have your own certificate, do not worry, this does not reduce the level of security, but people that try to connect to your Subversion repositories will have to accept your certificate.

Now it is time to restart the webserver. Type:

etc/init.d/httpd restart

in a root console of your VM-ware image.

The only thing that remains between you and secure Subversion repository access are SFEE’s firewall settings. To unblock the SSL port, simply type:

iptables -I RH-Firewall-1-INPUT -m state –state NEW -p tcp –destination-port 443 -j ACCEPT

in a root console of your VM-ware image. If you do not want to repeat this step after every reboot, you may add this configuration to a file that is read at every system start, like /etc/sysconfig/iptables

Now you are able to access all your Subversion repositories managed with SFEE over a secure SSL connection. Simply replace every Subversion repository URL that starts with http:// to start with https://

As you may have noticed, making Subversion accessible via a secure connection is only part of the game. Let me know if you are interested in a blog post or further documentation on either of these topics:

  • Block insecure connections to SFEE and Subversion.
  • Replace the self-signed certificate with a certificate that is immediately accepted by any Subversion client and browser.
  • Configure the web-interface of SFEE to be accessible via SSL as well.

If you are, please post a comment to this blog post.

Johannes Nicolai

Johannes Nicolai is CollabNet’s Development Manager leading all Git and Gerrit related development efforts. Furthermore, he is responsible for CollabNet Connect /synch, CollabNet’s platform to integrate TeamForge with third party ALM platforms. Johannes holds a Master of Science in IT Systems Engineering from Hasso Plattner Institut Potsdam and is a Certified Scrum Master. Before joining CollabNet five years ago, he was doing consulting on user centric design, developing cryptographic software and architecting SAP integrations. He is an Open Source enthusiast and contributes to many projects (check out https://www.ohloh.net/accounts/10619 for details).

Tagged with: , , , , , ,
Posted in Subversion
7 comments on “Configure the SourceForge Enterprise Edition Download for SSL Secure Subversion access
  1. Jody Jenkins says:

    I have ssl on the subversion integration server from clients connecting to a repo. But I am having trouble getting ssl to work between the SFEE and the subversion server. When I set sfmain.integration.listener_ssl=true (and the correct port) in the sourceforge.properties files on the subversion server, I still am not able to set an integration server from sourceforge to use SSL. Any ideas?

  2. Johannes Nicolai says:

    Hi Jody,
    in fact, there is more work to do than setting this flag. Do you use the full SFEE or the public downloadable version?
    In the first case, there is more information available inside sfdl. I think, the best idea would be to contact customer service.
    Best, Johannes

  3. Rob Munn says:

    Johannes, nice post! I enabled full web access via SSL by adding the mod_rewrite stuff from the bottom of httpd.conf into ssl.conf. I haven’t tested all the functionality, but basically it seems to be working. I am going to block port 80 tomorrow once I verify this is all good.

  4. Johannes Nicolai says:

    Hi Rob,
    congratulations. As far as I can judge on your steps from remote it looks as if you have successfully done the last few steps to access SFEE via SSL as well.
    Best, Johannes

  5. Sharma Ayyagari says:

    Johannes,
    Nice post.
    Could you please explain the following topics also.
    Block insecure connections to SFEE and Subversion.
    Replace the self-signed certificate with a certificate that is immediately accepted by any Subversion client and browser.
    Configure the web-interface of SFEE to be accessible via SSL as well.
    thanks,
    Sharma

  6. Angel Asencio says:

    I definitely would be interested in the three topics (For the SFEE that has Subversion included in the download):
    * Block insecure connections to SFEE and Subversion.
    * Replace the self-signed certificate with a certificate that is immediately accepted by any Subversion client and browser.
    * Configure the web-interface of SFEE to be accessible via SSL as well.
    Thanks,

    -Angel

  7. Johannes Nicolai says:

    Hi Sharma and Angel,
    Rob (previous comment) already answered how to configure the web interface to be accessible via SSL as well: Enable full web access via SSL by adding the mod_rewrite stuff from the bottom of httpd.conf into ssl.conf and restart the server: /etc/init.d/httpd restart
    Once you have managed this step, the next step is to disable port 80 (as Rob suggested as well), so that insecure connections are blocked: Just deactivate the firewall rule in /etc/sysconfig/iptables-config (http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/en-US/Reference_Guide/s2-sysconfig-iptables.html) that allows access to port 80 (–destination port 80).
    The last question (Replace the self-signed certificate with a certificate that is immediately accepted by any Subversion client and browser) is definitely the trickiest one. In order to get your certificate accepted by any browser and subversion client without getting a warning before, you have to have a certificate for your SFEE box that is signed by a trusted root certificate. These certificates are not that cheap, usually require a formal identification process and are only available by some selected companies.
    Since installing new certificates for Apache Webservers is nothing specific to SFEE, let me just refer you to an excellent blog post describing how to set up these certificates in general: http://www.sitepoint.com/article/securing-apache-2-server-ssl
    I hope that I could help you a bit, please tell me if you encounter any problems
    Johannes

Leave a Reply

Your email address will not be published. Required fields are marked *

*