[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

SVN fails when SSL Server asks for renegotation

From: Mads B. Tandrup <mads_t_at_yahoo.com>
Date: 2006-05-02 14:07:50 CEST

Hello

I'm not sure if this is a bug in subversion or a 'feature'. I've tried the users list withou result. But here goes.

I am trying to set up our SSL server to provide access to our SVN repositories. The SSL server hosts our webmail along with other applications.
We would like to authenticate all access to our SVN repositories with client side SSL certificates. On the other hand, we will not require webmail users and the other applications on the SSL server to provide client certificates.
According to the mod_ssl 2.8 documentation, this can be accomplised using the SSLVerifyClient directive (http://www.modssl.org/docs/2.8/ssl_reference.html#ToC17) in a per-directory context.

Our Apache SVN configuration looks like this:
  <Location /svn>
    DAV svn
    SVNParentPath /home/svn/
    SVNIndexXSLT "/svnindex.xsl"
  
    SSLVerifyClient require
    SSLRequireSSL
  
    AuthType Basic
    AuthName "Our company"

    Require valid-user
  
    Satisfy All
  </Location>

Apart from this the SSL servers general configuration includes SSLCACertificateFile info.

When I access the repository using Firefox or Internet Explore it works fine. The client is required to present a certificate when browsing https://ssl.ourcompany.com/svn/foo, but not https://ssl.ourcompany.com/webmail or other locations on the server. As expected.

But when I try to use SVN to access the repository it says:
 $ svn co https://ssl.ourcompany.com/svn/foo
 svn: PROPFIND request failed on '/svn/foo'
svn: PROPFIND of '/svn/foo': Could not read status line: SSL error: sslv3 alert unexpected message (https://ssl.ourcompany.com)

If I change the apache configuration, such that the overall SSL configuration includes "SSLVerifyClient optional". And removes "SSLVerifyClient require" from the SVN configuration, it works:
$ svn co https://ssl.ourcompany.com/svn/foo
Authentication realm: https://ssl.ourcompany.com:443
Client certificate filename: mads.tandrup-cert.p12
Passphrase for 'mads.tandrup-cert.p12':
A foo/trunk
[...]
A foo/tags
Checked out revision 2749.

But now the webmail prompts the client for an certificate as well, which I do not want.

For me it seems like the svn client gives up when the SSL server asks for an renegotation.

My versions are:
On my client:
$ svn --version
svn, version 1.2.3 (r15833)
   compiled Dec 4 2005, 03:38:36

$ openssl version
OpenSSL 0.9.8a 11 Oct 2005

And on the SSL server:
$ svn --version
svn, version 1.2.3 (r15833)
   compiled Dec 6 2005, 12:08:31

$ openssl version
OpenSSL 0.9.7e 25 Oct 2004

I've tried with TortoiseSVN on a Windows PC with the same result. TortoiseSVN version info is:
TortoiseSVN 1.3.3, Build 6219 - 32 Bit
Subversion 1.3.1,
apr 0.9.7
apr-iconv 0.9.7
apr-utils 0.9.7
berkeley db 4.3.28
neon 0.25.4
OpenSSL 0.9.8a 11 Oct 2005
zlib 1.2.3

Best regards,
Mads B. Tandrup
 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue May 2 14:08:19 2006

This is an archived mail posted to the Subversion Dev mailing list.