[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: SSL / Client certificates error

From: Bob Archer <Bob.Archer_at_amsi.com>
Date: Wed, 2 Apr 2014 14:24:47 +0000

If this occurs using the svn command line I would suggest you ask about it in the Subversion Edge support forum at Colabnet.

From: David Yates [mailto:davidgyates_at_hotmail.com]
Sent: Tuesday, April 01, 2014 1:01 PM
To: users_at_tortoisesvn.tigris.org
Subject: SSL / Client certificates error

I've set up Subversion Edge 4.0.5-3835.124 with TortoiseSVN 1.8.5 - both built with SVN 1.8.8 - all current release versions.

I've set this up with SSL and it's working fine.

But....I've also set up client authentication and this is where the problem starts.

Navigate a browser (Chrome or I.E.) to either the https://mysite.com/svn or https://mysite.com/viewvc and I can select a client certificate and it works fine.

I've managed to commit a large tree of files to SVN in this configuration and this too worked fine. My configuration and client authentication itself seems to be configured OK.

Checking out or attempting an update and it starts (creates a few directories) and then I consistently get the error:
Error: Error retrieving REPORT: An error occurred during SSL communication
using TortoiseSVN and
svn: E120171: Error retrieving REPORT: An error occurred during SSL communication
using the command line client.

The all-knowing Internet suggested that this might be related to "OpenSSL renegotiaton" failing.

Here's the associated server log:
[Tue Apr 01 17:37:27.949496 2014] [ssl:error] [pid 788:tid 1344] [client 132.185.160.98:63578] AH02261: Re-negotiation handshake failed: Not accepted by client!?
[Tue Apr 01 17:37:27.996371 2014] [dav:error] [pid 788:tid 1380] [client 132.185.160.98:63278] Provider encountered an error while streaming a REPORT response. [500, #0]
[Tue Apr 01 17:37:27.996371 2014] [dav:error] [pid 788:tid 1380] [client 132.185.160.98:63278] A failure occurred while driving the update report editor [500, #730053]

I'd already turned of OpenSSLCapi as per other suggestions to fix other client authentication problems and explicitly configured the client cert in the servers file.

So...I'm happy my config is OK - looks like possible fault already identified within openssl - but I'm stuck

Thanks,

David Yates
Developer

Tortoise about box:
TortoiseSVN 1.8.5, Build 25224 - 64 Bit , 2014/02/18 20:05:11
Subversion 1.8.8, -release
apr 1.5.0
apr-util 1.5.3
serf 1.3.4
OpenSSL 1.0.1f 6 Jan 2014
zlib 1.2.8

Servers file:
[global]
ssl-authority-files=C:\mypath\cacert.crt
ssl-client-cert-file = C:\mypath\svn_user.pfx

Server config (ssl_httpd.conf):
SSLCACertificateFile c:\mypath\cacert.crt

<Location ~ "/(svn|viewvc)/core_system">
# for the given path (in location) tell it that
# client verification is needed
SSLVerifyClient require
SSLVerifyDepth 1
# checks that the client cert must have been issued by us
SSLRequire %{SSL_CLIENT_I_DN_CN} eq "certs.bncs.tv"
</Location>

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3075699

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2014-04-02 16:24:55 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.