[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Problem with SSLRequire

From: David Rosenstrauch <darose_at_darose.net>
Date: Tue, 17 Nov 2009 17:24:08 -0500

I've recently set up SVN on Apache WebDAV, using SSL, along with LDAP
authentication. All's been working like a charm.

However, for various reasons out of my control it's been decided that we
need to use an alternate port for SSL (81), and that in addition SVN
should not be accessible over the standard https port of 443.

The 2 SSL ports are set up on the server using a virtual host directive
(<VirtualHost _default_:443 _default_:81>). And I thought I'd found the
correct way to do the restriction by port number, by using Apache's
SSLRequire directive. But when I enable that directive, SVN starts
throwing errors like:

svn: REPORT request failed on '/svn/ourrepo/!svn/vcc/default'
svn: Not authorized to open root of edit operation

It seems that the SSLRequire directive is somehow blocking the SVN
client from connecting using HTTP REPORT. But I'm quite puzzled as to
why that should be the case. (Particularly because when I query the
repository on both SSL ports from a web browser all works as expected.)

Although googling turned up a number of pages referring to the same
error message, I didn't see any concrete solution. Anyone have any
wisdom/workarounds on this problem? Our Apache subversion.conf is
attached below.

Thanks,

DR 

--
LoadModule dav_svn_module     modules/mod_dav_svn.so
LoadModule authz_svn_module   modules/mod_authz_svn.so
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
<Location /svn>
    DAV svn
    SVNParentPath /var/svn
    # Require SSL connection for SVN access
    SSLRequireSSL
    # Require SSL over non-obvious port 81 for SVN access
#   SSLRequire %{SERVER_PORT} == 81
#   SSLRequire %{SERVER_PORT} eq "81"
    AuthType Basic
    AuthBasicProvider ldap
    AuthName "Subversion"
    AuthLDAPURL 
ldaps://ldap.ourdomain.com/ou=users,dc=ourdomain,dc=com?uid?one
    AuthLDAPBindDN uid=subversion,ou=system,dc=ourdomain,dc=com
    AuthLDAPBindPassword <one of our system ldap passwords>
    AuthzLDAPAuthoritative off
    Require valid-user
    Require ldap-attribute employeeType=active
</Location>
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2419181
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-11-17 23:25:22 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.