[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: SSL renegotiation

From: Joe Orton <joe_at_manyfish.co.uk>
Date: 2003-05-13 21:47:55 CEST

On Tue, May 13, 2003 at 12:05:37AM +0200, Martin v. L÷wis wrote:
> It seems I can't get SSL handshake renegotiation to work. In my
> httpd.conf, I have
> <Location /playground>
> SSLVerifyClient require
> DAV svn
> SVNPath /export/svn/playground
> SVNAutoversioning on
> </Location>
> i.e. I only require a client certificate for this repository, not for
> the entire server. When I activate SSLVerifyClient globally, it works
> fine. If I activate it as shown, I get
> svn: RA layer request failed
> svn: The path was not part of a repository
> svn: PROPFIND of /: 405 Method Not Allowed

If I understand the code correctly, this will not work properly with the
current port of mod_ssl to Apache 2.0 - there is a big comment in
ssl_engine_kernel.c talking about how renegotiations aren't supported
for requests with bodies. (it talks about POST, but I don't see why it
wouldn't apply to any request with a body, such as the PROPFIND being
used here)

You might like to try using:

  SSLVerifyClient optional

globally, which will always request a client cert during the initial SSL
negotiation, but not care if one isn't presented, and for the protected


though using "SSLVerifyClient optional" is known to break the SSL
implementations in some web browsers, if you care about that.

I'd be interested to hear whether that works!



To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue May 13 21:54:25 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.