On Tue, May 13, 2003 at 12:05:37AM +0200, Martin v. Löwis wrote:
> It seems I can't get SSL handshake renegotiation to work. In my
> httpd.conf, I have
>
> <Location /playground>
> SSLVerifyClient require
> DAV svn
> SVNPath /export/svn/playground
>
> SVNAutoversioning on
> </Location>
>
> i.e. I only require a client certificate for this repository, not for
> the entire server. When I activate SSLVerifyClient globally, it works
> fine. If I activate it as shown, I get
>
> svn: RA layer request failed
> svn: The path was not part of a repository
> svn: PROPFIND of /: 405 Method Not Allowed
If I understand the code correctly, this will not work properly with the
current port of mod_ssl to Apache 2.0 - there is a big comment in
ssl_engine_kernel.c talking about how renegotiations aren't supported
for requests with bodies. (it talks about POST, but I don't see why it
wouldn't apply to any request with a body, such as the PROPFIND being
used here)
You might like to try using:
SSLVerifyClient optional
globally, which will always request a client cert during the initial SSL
negotiation, but not care if one isn't presented, and for the protected
location:
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
though using "SSLVerifyClient optional" is known to break the SSL
implementations in some web browsers, if you care about that.
I'd be interested to hear whether that works!
Regards,
joe
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue May 13 21:54:25 2003