[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Client Certificate Authentication/Authorization?

From: <Steve.Craft_at_sungard.com>
Date: 2006-05-18 20:51:57 CEST

Thanks, I tried making the following changes in ssl.conf:

<VirtualHost _default_:448>

DocumentRoot E:/.....

      ServerName servername:448

      ErrorLog logs/servername_error.log

      TransferLog logs/servername_transfer.log

      <Location /svn>

        SSLVerifyClient require

        SSLVerifyDepth 1

        SSLOptions +FakeBasicAuth

        DAV svn

        SVNParentPath "e:/....."

        AuthName "Subversion Repositories"

        AuthType Basic

        #Require valid-user

        AuthUserFile "C:/......."

        AuthzSVNAccessFile "........"

        <LimitExcept GET HEAD OPTIONS REPORT CONNECT POST PUT DELETE PATCH
PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>

                        Order allow,deny

                        Allow from all

                     # Require valid-user

      </LimitExcept>

      </Location>

I can still successfully browse the repository using plain old
https://server:448/svn/...

But Tortoise still gives me the PROPFIND error.

I now commented out SSLVerifyClient, SSLVerifyDepth, SSLOptions, restarted
Apache, and can browse successfully. I also changed the port back to 443
and still browsed successfully. So there must be something up with the
client-cert auth....

________________________________

From: news <news@sea.gmane.org> [mailto:news <news@sea.gmane.org>] On
Behalf Of Pierre Couderc <pierre@couderc.cc>

Sent: Thursday, May 18, 2006 2:04 PM

To: users@tortoisesvn.tigris.org

Subject: Re: Client Certificate Authentication/Authorization?

There is some bug in some old version of Apache that makes

"renegotiation" of certificate difficult. I have not successed on Apache

under debian sarge.

I do not know for Windows (so I should not post...) but my solution

under debian has proved useful, and can maybe be ported on Windows:

I use svn not under usual https port(443), but under a dedicated port in

my case https://www.tol..fr:5989/svn/trunk...

Anyway, i did not try with certificates and accepted a crypted password

solution, but it could work with certificate, as the fact of changing of

port may eliminate the need for "renegotiation".

Sorry for so many "could" or "may"...

PC

Steve.Craft@sungard.com a crit :

>

>

> Server is Win32, Svn + Apache. Apache uses client-certificate-only for
auth

> (http://www.modssl.org/docs/2.8/ssl_howto.html#auth-particular), so

> everyone can view parts of the system but only those with internal

> CA-issued client certs can access my /svn structure.

>

>

>

> I can browse https://theserver/svn/myrepos, get prompted for the client

> cert, select it, and browse.

>

>

>

> Using Tortoise, if I use the Repo Browser on the same URI:

>

>

>

> 1.

>

> Prompt window comes up -

>

> "Error validating server certificate...."

>

> But that does not happen when using IE or Firefox (because I already

> installed the cert).

>

>

>

> Where does Tortoise keep it's list of trusted Cas?

>

>

>

>

>

> I choose to accept the prompt and accept the server certificate

> permanently.

>

>

>

> 2.

>

> The browser shows the tree hierarchy down to the specified path, but if I

> expand another directory to go another level deeper, I see -

>

> "Error *PROPFIND request failed on '/svn......'"

>

> The Apache log says -

>

> [Thu May 18 13:36:47 2006] [error] Re-negotiation handshake failed: Not

> accepted by client!?

>

>

>

> I reckon there is something missing from my Tortoise configuration, but

> what is it?

>

>

>

> Thanks.

---------------------------------------------------------------------

To unsubscribe, e-mail: users-unsubscribe@tortoisesvn.tigris.org

For additional commands, e-mail: users-help@tortoisesvn.tigris.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: users-help@tortoisesvn.tigris.org
Received on Thu May 18 20:52:13 2006

This is an archived mail posted to the TortoiseSVN Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.