[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: SSL / Client certificates error

From: Lieven Govaerts <lgo_at_apache.org>
Date: Wed, 2 Apr 2014 19:17:12 +0200

On Wed, Apr 2, 2014 at 4:24 PM, Bob Archer <Bob.Archer_at_amsi.com> wrote:
> If this occurs using the svn command line I would suggest you ask about it
> in the Subversion Edge support forum at Colabnet.
>
>
>
> From: David Yates [mailto:davidgyates_at_hotmail.com]
> Sent: Tuesday, April 01, 2014 1:01 PM
> To: users_at_tortoisesvn.tigris.org
> Subject: SSL / Client certificates error
>
>
>
> I've set up Subversion Edge 4.0.5-3835.124 with TortoiseSVN 1.8.5 - both
> built with SVN 1.8.8 - all current release versions.
>
>
>
> I've set this up with SSL and it's working fine.
>
>
>
> But....I've also set up client authentication and this is where the problem
> starts.
>
>
>
> Navigate a browser (Chrome or I.E.) to either the https://mysite.com/svn or
> https://mysite.com/viewvc and I can select a client certificate and it works
> fine.
>
>
>
> I've managed to commit a large tree of files to SVN in this configuration
> and this too worked fine. My configuration and client authentication itself
> seems to be configured OK.
>
>
>
> Checking out or attempting an update and it starts (creates a few
> directories) and then I consistently get the error:
>
> Error: Error retrieving REPORT: An error occurred during SSL communication
>
> using TortoiseSVN and
>
> svn: E120171: Error retrieving REPORT: An error occurred during SSL
> communication
>
> using the command line client.
>
>
>
> The all-knowing Internet suggested that this might be related to "OpenSSL
> renegotiaton" failing.
>

This looks like serf issue #135 [1], which is caused by OpenSSL not
handling renegotiation correctly when multiple pipelined requests are
being received by the server. See my comment #10 in the serf issue for
links to the OpenSSL issue.

A workaround is to configure the server to request the client
certificate at the highest possible level, so that renegotiation isn't
needed.

Another workaround would be to disable pipelining completely, but this
hasn't been implemented yet, and requires changes in both Subversion
and Serf.

I suggest you also ping the openssl users list, this issue is known
for a long time but hasn't received any attention from the openssl
devs.

hth,

Lieven

[1] https://code.google.com/p/serf/issues/detail?id=135

>
>
> Here's the associated server log:
>
> [Tue Apr 01 17:37:27.949496 2014] [ssl:error] [pid 788:tid 1344] [client
> 132.185.160.98:63578] AH02261: Re-negotiation handshake failed: Not accepted
> by client!?
>
> [Tue Apr 01 17:37:27.996371 2014] [dav:error] [pid 788:tid 1380] [client
> 132.185.160.98:63278] Provider encountered an error while streaming a REPORT
> response. [500, #0]
>
> [Tue Apr 01 17:37:27.996371 2014] [dav:error] [pid 788:tid 1380] [client
> 132.185.160.98:63278] A failure occurred while driving the update report
> editor [500, #730053]
>
>
>
> I'd already turned of OpenSSLCapi as per other suggestions to fix other
> client authentication problems and explicitly configured the client cert in
> the servers file.
>
>
>
> So...I'm happy my config is OK - looks like possible fault already
> identified within openssl - but I'm stuck
>
>
>
> Thanks,
>
>
>
> David Yates
>
> Developer
>
>
>
>
>
> Tortoise about box:
>
> TortoiseSVN 1.8.5, Build 25224 - 64 Bit , 2014/02/18 20:05:11
>
> Subversion 1.8.8, -release
>
> apr 1.5.0
>
> apr-util 1.5.3
>
> serf 1.3.4
>
> OpenSSL 1.0.1f 6 Jan 2014
>
> zlib 1.2.8
>
>
>
> Servers file:
>
> [global]
>
> ssl-authority-files=C:\mypath\cacert.crt
>
> ssl-client-cert-file = C:\mypath\svn_user.pfx
>
>
>
> Server config (ssl_httpd.conf):
>
> SSLCACertificateFile c:\mypath\cacert.crt
>
>
>
> <Location ~ "/(svn|viewvc)/core_system">
>
> # for the given path (in location) tell it that
>
> # client verification is needed
>
> SSLVerifyClient require
>
> SSLVerifyDepth 1
>
> # checks that the client cert must have been issued by us
>
> SSLRequire %{SSL_CLIENT_I_DN_CN} eq "certs.bncs.tv"
>
> </Location>

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3075712

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2014-04-02 19:17:36 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.