On Mon, Oct 11, 2010 at 4:25 PM, Bernd May <bm_at_dv-team.de> wrote:
> Hey all,
>
> I have a curious problem that I seem unable to find precedence for.
>
>
> The Error:
>
> --- on the client side ---
> svn up
> svn: OPTIONS of 'https://<my-domain>/svn/<some-repository>': SSL
> handshake failed: SSL alert received: Decode error (https://<my-domain>)
>
> --- on the server side from apache error.log ---
> [debug] ssl_engine_kernel.c(1756): OpenSSL: Write: SSLv3 read
> certificate verify B
> [Mon Oct 11 16:13:10 2010] [debug] ssl_engine_kernel.c(1770): OpenSSL:
> Exit: failed in SSLv3 read certificate verify B
> [Mon Oct 11 16:13:10 2010] [info] [client <ip-address>] SSL library
> error 1 in handshake (server <my-domain>:443)
> [Mon Oct 11 16:13:10 2010] [info] SSL Library Error: 336101641
> error:14088109:SSL routines:SSL3_GET_CERT_VERIFY:wrong signature size
> [Mon Oct 11 16:13:10 2010] [info] [client <ip-address>] Connection
> closed to child 0 with abortive shutdown (server <my-domain>:443)
>
> --- Clarification: I have obscured the address and repository name with
> <value-name> ---
>
>
> The Setup:
>
> We have an old svn setup here at the company that is accessed via https
> over an apache with the dav_svn and authz_ modules.
> The setup uses client certificates for authentication to the server, so
> only clients with a valid certificate can actually gain access to the
> repositories.
> Versions of the software running on the Server:
> - Apache/2.2.3
> - svn/1.4.2
> - openssl/0.9.8c
> - Debian/etch
>
> Versions of the software running on the client:
> - Ubuntu 10.04
> - svn/1.6.6
> - kernel 2.6.32
> - openssl/0.9.8k
>
> Even though this seems to be more of an ssl-error I thought maybe some
> of you guys have seen it in correlation with svn. Especially because
> this error does not appear on all other clients that run with old hardy,
> openssl 0.9.8g and svn 1.6.9 on kernel 2.6.24.
>
> I'll be grateful for any pointers for clarification or help you can give
> me. If you miss any further data for specification of the error, let me
> know and I will try to provide it.
I haven't seen this, but my first instinct tells me that this is not
related to svn. Seems to me to be purely an apache/openssl/certificate
issue. Maybe there is something strange about your client certs, and
openssl 0.9.8k handles them differently from 0.9.8g?
Can you try some tests without svn, for instance set up apache to
serve a simple static page protected by client cert authentication,
and try to access that with that cert using openssl 0.9.8g vs. 0.9.8k?
Or try to build an svn client on your new machine with openssl 0.9.8g
instead of k?
Disclaimer: I have never tried svn with client cert authentication, so
I'm just guessing here based on your account of the facts ...
Cheers,
--
Johan
Received on 2010-10-11 23:09:59 CEST