[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: SSL renegotiation

From: Joe Orton <joe_at_manyfish.co.uk>
Date: 2003-05-13 21:47:55 CEST

On Tue, May 13, 2003 at 12:05:37AM +0200, Martin v. L÷wis wrote:
> It seems I can't get SSL handshake renegotiation to work. In my
> httpd.conf, I have
>
> <Location /playground>
> SSLVerifyClient require
> DAV svn
> SVNPath /export/svn/playground
>
> SVNAutoversioning on
> </Location>
>
> i.e. I only require a client certificate for this repository, not for
> the entire server. When I activate SSLVerifyClient globally, it works
> fine. If I activate it as shown, I get
>
> svn: RA layer request failed
> svn: The path was not part of a repository
> svn: PROPFIND of /: 405 Method Not Allowed

If I understand the code correctly, this will not work properly with the
current port of mod_ssl to Apache 2.0 - there is a big comment in
ssl_engine_kernel.c talking about how renegotiations aren't supported
for requests with bodies. (it talks about POST, but I don't see why it
wouldn't apply to any request with a body, such as the PROPFIND being
used here)

You might like to try using:

  SSLVerifyClient optional

globally, which will always request a client cert during the initial SSL
negotiation, but not care if one isn't presented, and for the protected
location:

  SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"

though using "SSLVerifyClient optional" is known to break the SSL
implementations in some web browsers, if you care about that.

I'd be interested to hear whether that works!

Regards,

joe

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue May 13 21:54:25 2003

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.