On Wed, Aug 29, 2012 at 10:32 AM, Joel Jirak <joel_at_jirak.us> wrote:
> Versions affected: 1.7.7, 1.7.8
> Last working: 1.7.6
>
> Symptom: When connecting to a server via https and that server requires a
> client certificate, if you have zero certificates in your windows
> certificate store, you get: "SSL handshake failed: SSL error: cant get
> key". This error occurs even if you have a valid client certificate
> specified in your servers file.
>
> Candidate fix: svn merge -c 22726
> http://tortoisesvn.googlecode.com/svn/trunk <wc for branches/1.7.x>
>
> I'll send an explanation later.
>
> Joel Jirak
>
>
My best explanation:
TSVN is compiled with OpenSSL with CAPI enabled, which lets TSVN use certs
stored in your windows certificate store.
TSVN uses a patched version of e_capi.c from OpenSSL. The patch is
necessary to support disabling CAPI at runtime via a registry key.
TSVN 1.7.6 was compiled with OpenSSL 1.0.0g and the patched e_capi.c. It
did not exhibit the problem.
TSVN 1.7.7/1.7.8 were compiled with OpenSSL 1.0.1c. The patched e_capi.c
file was updated on the trunk to match the version of this file from 1.0.1c
(presumably) but was not updated on the 1.7.x branch.
Merging this updated file to the 1.7.x branch fixes the problem, for
reasons which aren't clear to me. The answer lies deep in the bowels of
OpenSSL. I do not have time to perform a colonoscopy today!
Trunk does not exhibit this problem, natch.
I have checked out and built tags/version-1.7.8. It exhibited the problem.
Applying r22726 and rebuilding fixed the problem.
I have checked out and built branches/1.7.x_at_23241. It exhibited the
problem. Applying r22726 and rebuilding fixed the problem.
All builds were win32 with OpenSSL 1.0.1c
Disabling CAPI with the registry key, of course, prevents the CAPI engine
from being loaded, and so prevents this symptom from happening.
I have no reason to think that the version of the server matters for this
exact problem
Why don't other svn clients see this error? All the other clients are
command-line clients, and even though many use the same version of OpenSSL,
they don't compile with CAPI enabled. In fact, almost no one compiles with
it enabled because googling for 'SSL error: "cant get key"" returns only
results from the TSVN forums. (Strip the single quotes and keep the double
quotes for the exact query.)
It would be nice if someone could expand on my analysis, but I think I
figured out the regression from 1.7.6.
Stefan, have I misunderstood anything?
Joel
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=757&dsMessageId=3001945
To unsubscribe from this discussion, e-mail: [dev-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2012-08-29 17:15:02 CEST