On 8/1/2018 9:25 AM, Folker Schamel wrote:
> On 2018-07-31 21:09, Philip Martin wrote:
>> Daniel Shahaf<d.s_at_daniel.shahaf.name> writes:
>>
>>> Subversion uses Serf, which uses OpenSSL, which talks to an SSL implementation
>>> on the server. The root cause of the error is known to the SSL implementation
>>> on the server (that's why you see it in the error log). It's not obvious that
>>> OpenSSL on the client side even knows what the root cause is.
>> In this case the client knows exactly what is wrong, it's the one
>> closing the connection because:
>>
>> 140258270184704:error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak:../ssl/ssl_rsa.c:303:
>>
>> Could we get our client to show that error? We would need a new serf
>> API to marshal the error message back to Subversion.
> This sounds like the best solution to me.
>
> Until then, some short note in the Subversion release notes would have
> saved us a lot of time, for example:
>
> Section title: Potential need for creating new CA keys and new client
> certificates
> Section text:
> This Subversion release upgrades OpenSSL from 1.0 to 1.1, which
> doesn't allow md5 hashes for CA keys anymore.
That's the catch here. Subversion does not ship with OpenSSL by itself.
From Subversion's point of view this is a 3rd-party dependency. You can
easily build Subversion 1.9.x/1.10.x with OpenSSL 1.0.x. Whether or not
you run into this issue therefore is outside the scope of Subversion
IMO. It's something the distribution of Subversion (in your case the
Debian Subversion distribution) should document. Note that in principle
you could very well run into the same situation with Subversion 1.8 or
even 1.7, if you build one version with OpenSSL <= 1.0 and the other
with OpenSSL >= 1.1 (or set certain OpenSSL configs which also would
flag md5 digests as being too weak with older OpenSSL versions).
> When using client certificates signed by such a CA, the new Subversion
> client now fails with "An error occurred during SSL communication".
> You can analyze the underlying cause by converting the client
> certificate from p12 to pem by"openssl pkcs12 -in path/to/svn/cert.p12
> -out cert.pem" and then test the SSL connection by "openssl s_client
> -connect example.com:443 -servername example.com -cert cert.pem".
> If this test connection fails with "ca md too weak", then creating new
> CA keys using sha256 instead of md5 and corresponding new client
> certificates should solve the problem.
> See also
> https://lists.apache.org/thread.html/66b9bfa0a83693c3ccef34b29056c7e73a0d21cd4b70cd7f7519fa57@%3Cdev.subversion.apache.org%3E.
>
> Cheers,
> Folker
It could be something worthwhile adding to the FAQ however, though then
in a more general manner like:
Troubleshooting Subversion SSL connection.
--
Regards,
Stefan Hett
Received on 2018-08-01 12:37:32 CEST