[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Problem with SSL auth with preshared certs E120171

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: Fri, 17 Jan 2014 21:14:53 +0100

On 17.01.2014 14:46, Simon D Morris wrote:
> Symptoms
> ----------------
> Any attempt to connect to the repository using HTTPS (list, checkout)
> gives:
> "Unable to connect to repository at URL...."
> "Error running context: An error occurred during SSL communication"
>
>
> BUT
>
> - TortoiseHg is OK - can checkout using same keys/certs
> - IE is OK - can browse repository using same keys/certs
> - Niether TSVN nor the TSVN supplied Command line client work (see below
> for output)
> - The standard windows command line client works with exactly the same
> config file, certs etc (i.e. this one:
> http://sourceforge.net/projects/win32svn/)
> - OpenSSL s_client also connects just fine
>
> TSVN 1.7.6 works ok - nothing later seems to
> Latest dev build fails too.

First: do not use preshared key authentication. Just don't.
http://technet.microsoft.com/en-us/library/cc782582%28v=WS.10%29.aspx

"The use of preshared key authentication is not recommended because it
is a relatively weak authentication method. [...] In addition, preshared
keys are stored in plaintext in the registry. In Active Directory,
preshared keys are stored in readable hexadecimal format."

So again: don't use it!

Anyway: TSVN uses the default compile options for OpenSSL, which means
the weaker algorithms all are disabled or not even compiled in. So if
you use for example MD5 for your preshared key, then it won't work and
never will (with TSVN) because that's not compiled into OpenSSL by
default anymore.

Also: TSVN has the CAPI engine enabled in OpenSSL which might interfere
here in your situation. You can disable this by creating a DWORD value
in the registry under
HKCU\Software\TortoiseSVN\OpenSSLCapi
and set it to 0.
That will disable the CAPI engine.

Stefan 

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest interface to (Sub)version control
    /_/   \_\     http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3071739
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2014-01-17 21:14:55 CET

This is an archived mail posted to the TortoiseSVN Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.