[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: SSL client certificate from Windows certificate store

From: Thomas Åkesson <thomas_at_akesson.cc>
Date: Wed, 9 Nov 2016 10:58:51 +0100

Thanks for your input.

> Does it work when using IE to access the server?

Yes, IE and Chrome works fine.

> What is the exact error?

TortoiseSVN, just the generic:
svn: E120171: Error running context: An error occurred during SSL communication

In the Apache server log:
[2016-11-09 09:46:39.963523] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1970): [client 83.218.70.138:58528] OpenSSL: Handshake: start
[2016-11-09 09:46:39.963538] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1979): [client 83.218.70.138:58528] OpenSSL: Loop: before/accept initialization
[2016-11-09 09:46:39.963555] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: read 11/11 bytes from BIO#7f2004003be0 [mem: 7f200400f380] (BIO dump follows)
[2016-11-09 09:46:39.963582] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: read 506/506 bytes from BIO#7f2004003be0 [mem: 7f200400f38e] (BIO dump follows)
[2016-11-09 09:46:39.963614] [ssl:debug] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(2096): [client 83.218.70.138:58528] AH02043: SSL virtual host for servername … found
[2016-11-09 09:46:39.963643] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1979): [client 83.218.70.138:58528] OpenSSL: Loop: unknown state
[2016-11-09 09:46:39.963651] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: write 75/75 bytes to BIO#7f2004004140 [mem: 7f20040174d3] (BIO dump follows)
[2016-11-09 09:46:39.963670] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1979): [client 83.218.70.138:58528] OpenSSL: Loop: unknown state
[2016-11-09 09:46:39.963683] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: write 3212/3212 bytes to BIO#7f2004004140 [mem: 7f200400f383] (BIO dump follows)
[2016-11-09 09:46:39.963693] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1979): [client 83.218.70.138:58528] OpenSSL: Loop: unknown state
[2016-11-09 09:46:39.965110] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: write 338/338 bytes to BIO#7f2004004140 [mem: 7f200400f383] (BIO dump follows)
[2016-11-09 09:46:39.965122] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1979): [client 83.218.70.138:58528] OpenSSL: Loop: unknown state
[2016-11-09 09:46:39.965162] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: write 4096/4096 bytes to BIO#7f2004003b60 [mem: 7f2004006960] (BIO dump follows)
[2016-11-09 09:46:39.965169] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: write 1346/1346 bytes to BIO#7f2004004140 [mem: 7f200400f383] (BIO dump follows)
[2016-11-09 09:46:39.965176] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1979): [client 83.218.70.138:58528] OpenSSL: Loop: unknown state
[2016-11-09 09:46:39.965200] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2056): [client 83.218.70.138:58528] OpenSSL: write 875/875 bytes to BIO#7f2004003b60 [mem: 7f2004006960] (BIO dump follows)
[2016-11-09 09:46:39.965218] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(1979): [client 83.218.70.138:58528] OpenSSL: Loop: unknown state
[2016-11-09 09:46:40.049290] [ssl:trace4] [pid 18909:tid 139775306540800] ssl_engine_io.c(2065): [client 83.218.70.138:58528] OpenSSL: I/O error, 5 bytes expected to read on BIO#7f2004003be0 [mem: 7f2004011003]
[2016-11-09 09:46:40.049434] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(2008): [client 83.218.70.138:58528] OpenSSL: Exit: error in unknown state
[2016-11-09 09:46:40.049491] [ssl:trace3] [pid 18909:tid 139775306540800] ssl_engine_kernel.c(2008): [client 83.218.70.138:58528] OpenSSL: Exit: error in unknown state
[2016-11-09 09:46:40.049549] [ssl:debug] [pid 18909:tid 139775306540800] ssl_engine_io.c(1227): (70014)End of file found: [client 83.218.70.138:58528] AH02007: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[2016-11-09 09:46:40.049602] [ssl:info] [pid 18909:tid 139775306540800] [client 83.218.70.138:58528] AH01998: Connection closed to child 86 with abortive shutdown (server …)

My interpretation is that the client does not present any certificate. Strange, because an entry is created in CAPIAuthz which means the certificate was found by e_capi.c. Perhaps the certificate triggers an error somewhere in the client but an error that is not triggered when the same cert is used from p12-file…

When connecting with IE/Chrome I can see the whole depth of CA certs validated in the Apache log.

> Note that apache requires have the root (topmost) signing CA in its trusted CA list.

Yes, I thinks it is correct. The same cert works with IE/Chrome and with Tortoise when configured as p12-file.

> Also check the SSLVerifyDepth setting of apache/mod_ssl.

Yes, it is set to 10.

Is there any way to get stderr or other logging from TortoiseSVN / the bundled svn command?

Thanks,
Thomas Å.

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3193230

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2016-11-09 10:59:33 CET

This is an archived mail posted to the TortoiseSVN Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.