[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Problem with SSL auth with preshared certs E120171

From: simon <simon_at_iscandar.demon.co.uk>
Date: Tue, 21 Jan 2014 14:11:47 +0000

On 20/01/14 17:47, Stefan Küng wrote:
> On 20.01.2014 11:31, Simon D Morris wrote:
>> Stefan Küng <tortoisesvn_at_gmail.com> wrote on 17/01/2014 20:14:53:
>>
>> >
>> > Also: TSVN has the CAPI engine enabled in OpenSSL which might interfere
>> > here in your situation. You can disable this by creating a DWORD value
>> > in the registry under
>> > HKCU\Software\TortoiseSVN\OpenSSLCapi
>> > and set it to 0.
>> > That will disable the CAPI engine.
>> >
>> > Stefan
>>
>>
>> Tried the reg fix - it works fine now.
>>
>> I presume this is Windows' own crypto functions, certificate store etc?
>> As far as I can tell, IE is happy with the site as I added my CA as
>> trusted - so why does TSVN/openssl baulk?
> You have a matching cert in the windows cert store, but that cert does
> not authorize you to access the repo. Another cert is apparently needed
> for that.
>
> If there's only one cert that matches the server request in the cert
> store, the OpenSSL CAPI engine uses that cert and does not offer a retry
> if that cert does not succeed in authentication.
>
>
How can I debug this? Are there any diagnostics I can enable ?

I have the CA imported, and my client cert (signed by the CA) imported

Having just:
- Uninstalled all client/ca certs
- Rebuilt my server/CA certs from the ground up
- Installed the new CA & client certs on the client

I observe:
- IE recognises the client cert as being signed by the CA
- When the server provides its cert, IE recognises that as being signed
by the CA.
- TSVN does _not_ recognise the server cert as being signed by a
recognised CA.

I don't believe IE is built on anything other than the Windows Crypo API
- so why does it work, and TSVN not?

I don't particularly /want/ to use the registry "fix", but it's starting
to look like I'm going to have to for now. 

--
Simon
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3071852
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2014-01-21 15:11:59 CET

This is an archived mail posted to the TortoiseSVN Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.