[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[TSVN] TortoiseSVN: Problem getting SSL Client Certificates to work

From: Nigel Green <nigel.green_at_sslz.com>
Date: 2004-10-15 17:05:45 CEST

Hi Folks,
I am hoping that you will be able to assist me with the problem
described below.
_
Problem getting SSL Client Certificates to work_

I can get TortoiseSVN client certificate to work correctly with client
SSL certificates if the Apache2 server is set in "per-server" client
certificate mode.
i.e. the "SSLVerifyClient" apache configuration line is in the main body
of the server config (not under a Virtual Host/Directory).
This confirms to me that the client certificate and CA certificate are
available and being accessed correctly by TortoiseSVN.

So, I can browse the repository OK.
However, if I move the following lines inside the <Location /svn>
section within the "VirtualHost":

    SSLVerifyClient require
    SSLVerifyDepth 1

then TortoiseSVN gives the following error within the repository browser
when I attempt to browse the same repository which I was browsing
successfully:
"* PROPFIND reques failed on '/svn/test' PROPFIND of '/svn/test': Could
not read status line: SSL error: sslv3 alert unexpected message
(https://localhost)"
However, I can access the same repository with my "Firefox" browser
(version 1.0) without error with the same client certificate installed,
so I know the Apache2 server is working OK.

I understand from the Apache2 documentation that by moving the
"SSLVerifyClient" directive into the "Location" section switches the
client certificate verification into "per-directory" mode which forces
a re-negotiation after the HTTPS request is read.

So my question is: Is there something I have missed in my configuration
of TortoiseSVN to accept client certificates, or is there a bug to do
with client certificates when SSL renegotiation occurs?

My TortoiseSVN version info:

    TortoiseSVN 1.1.0, Build 1769, UNICODE
    Subversion 1.1.0,
    apr 0.9.5
    apr-iconv 0.9.5
    apr-utils 0.9.5
    berkeley db 4.2.52
    neon 0.24.7
    OpenSSL 0.9.7d 17 Mar 2004
    zlib 1.2.1

My Apache2 server version info:
Apache/2.0.52 (Unix) mod_perl/1.99_16 Perl/v5.8.5 mod_ssl/2.0.52
OpenSSL/0.9.6b DAV/2 SVN/1.1.0 PHP/4.3.9
Subversion 1.1.0

My TortoiseSVN application data (under "Documents and Settings" for my
user) on my Windows2000 PC, "Servers" file:

    [global]
    ssl-authority-files = <full path to>CA.crt
    [groups]
    myserver = localhost
    [myserver]
    ssl-client-cert-file = <full path to>MyCertificate.p12

(the "<full path to>" contains the actual path to the PC file)

I do hope that you will be able to help resolve this question, as I have
spent several hours trying to get it to work without success.

Many thanks,

Nigel Green
Received on Fri Oct 15 18:18:12 2004

This is an archived mail posted to the TortoiseSVN Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.