[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Problem with SVN on Apache using SSLRequire

From: David Rosenstrauch <darose_at_darose.net>
Date: Thu, 19 Nov 2009 23:10:48 -0500

Hi. I've been having a problem with SVN on Apache while using the
SSLRequire directive, that I think is a bug in some component of SVN.

I've posted about it in detail on the users mailing list (see
http://svn.haxx.se/users/archive-2009-11/0510.shtml) but I'll summarize
it here.

In a nutshell, I'm using the following apache config:

...
Listen 443
Listen 81
...
<VirtualHost _default_:443 _default_:81>
...
</VirtualHost>
...
<Location /the_svn_dir>
    DAV svn
    SVNParentPath /var/svn

    # Require SSL connection for SVN access
    SSLRequireSSL
    # Require SSL over non-obvious port 81 for SVN access
    SSLRequire %{SERVER_PORT} == 81
</Location>
...

The result should be the following:
port 80 - forbidden
port 443 - forbidden
port 81 - allowed

And when I use a web browser to view the svn repo over these ports,
that's exactly what happens.

However, when using an SVN client I get the following:
port 80 - forbidden
port 443 - forbidden
port 81 - svn: Not authorized to open root of edit operation

The problem lies somehow in the "SSLRequire" line. When I comment it
out the error goes away. (Though obviously blocking of port 443 goes
away too, which is not desired.)

I did some digging through the web server access logs to try to find out
what's going on, and I noticed a couple of things:

1) When I issue an SVN checkout both with and without the SSLRequire
directive the results are nearly identical, but with one exception. The
final request that SVN issues in the checkout operation is a REPORT
request. When SSLRequire is removed, the REPORT request (REPORT
/the_svn_dir/the_repo_dir/!svn/vcc/default) succeeds (with response code
200). When SSLRequire is re-added, the REPORT request fails (with
response code 500).

2) The reason the REPORT request is failing is because for some reason
it seems to *require* access to port 443. If I set the SSLRequire
directive to "%{SERVER_PORT} <= 443" the error goes away. But if I set
the directive to "%{SERVER_PORT} < 443" the error returns.

Unfortunately my knowledge of SVN, WebDAV, DeltaV and the like is not
sufficient for me to debug this further. Can anyone assist? And shall
I file a bug report for this?

By the way, I forgot to mention the configuration of the server this is
all running on:

* os: centos 5.2
* arch: x86_64
* svn: 1.4.2
* mod_dav_svn: 1.4.2
* apache httpd: 2.2.3
* mod_ssl: 2.2.3

Thanks,

DR

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=462&dsMessageId=2420387
Received on 2009-11-20 07:45:40 CET

This is an archived mail posted to the Subversion Dev mailing list.