On 2018-07-31 21:09, Philip Martin wrote:
> Daniel Shahaf <d.s_at_daniel.shahaf.name> writes:
>
>> Subversion uses Serf, which uses OpenSSL, which talks to an SSL implementation
>> on the server. The root cause of the error is known to the SSL implementation
>> on the server (that's why you see it in the error log). It's not obvious that
>> OpenSSL on the client side even knows what the root cause is.
> In this case the client knows exactly what is wrong, it's the one
> closing the connection because:
>
> 140258270184704:error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak:../ssl/ssl_rsa.c:303:
>
> Could we get our client to show that error? We would need a new serf
> API to marshal the error message back to Subversion.
This sounds like the best solution to me.
Until then, some short note in the Subversion release notes would have
saved us a lot of time, for example:
Section title: Potential need for creating new CA keys and new client
certificates
Section text:
This Subversion release upgrades OpenSSL from 1.0 to 1.1, which doesn't
allow md5 hashes for CA keys anymore.
When using client certificates signed by such a CA, the new Subversion
client now fails with "An error occurred during SSL communication".
You can analyze the underlying cause by converting the client
certificate from p12 to pem by"openssl pkcs12 -in path/to/svn/cert.p12
-out cert.pem" and then test the SSL connection by "openssl s_client
-connect example.com:443 -servername example.com -cert cert.pem".
If this test connection fails with "ca md too weak", then creating new
CA keys using sha256 instead of md5 and corresponding new client
certificates should solve the problem.
See also
https://lists.apache.org/thread.html/66b9bfa0a83693c3ccef34b29056c7e73a0d21cd4b70cd7f7519fa57@%3Cdev.subversion.apache.org%3E.
Cheers,
Folker
Received on 2018-08-01 09:27:19 CEST