[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Bug in ra_serf with client certificates

From: Branko Čibej <brane_at_wandisco.com>
Date: Tue, 28 Jan 2014 14:17:13 +0100

On 28.01.2014 13:53, Branko Čibej wrote:
> I just got a private report from a user that has a setup with a
> private certificate. This user happened to select the wrong
> certificate for a server, and got the following response:
>
> svn: E120171: Unable to connect to a repository at URL 'https://example.com/svn/foobar'
> svn: E120171: Error running context: An error occurred during SSL communication
>
> This the error code E120171 comes from Serf and apparently means
> SERF_ERROR_AUTHN_FAILED. There's corroboration in the server log:
>
> [Tue Jan 28 13:32:47 2014] [info] SSL Library Error: 336105671 error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate No CAs known to server for verification?
>
> The bug, as I see it, is that in this case, the command-line client
> doesn't ask for different credentials. Shouldn't we be transforming
> (or wrapping) SERF_ERROR_AUTHN_FAILED to SVN_ERR_RA_NOT_AUTHORIZED?

To follow up, apparently the command-line client never even asks for a
client cert ... even when ~/.subverion/auth is completely removed.

-- Brane

-- 
Branko Čibej | Director of Subversion
WANdisco // Non-Stop Data
e. brane_at_wandisco.com
Received on 2014-01-28 14:17:52 CET

This is an archived mail posted to the Subversion Dev mailing list.