client certificate troubles

hello,

I'm trying to set up a Subversion server over httpd. I'm using the packages from David Summers
on a Red Hat 9 maschine.

I'm using subversion over https, which works, but the svn commandline exits with:

        svn: PROPFIND request failed on '/svn'
        svn: PROPFIND of '/svn': Could not read status line: SSL error: sslv3 alert unexpected message (https://lotta.xxxx.net)

sometime after the server certificate has been accepted.
It works with a browser and a client certificate.

I think that the subversion server configuration is errornous, but I do not
know what to look for...

The ssl configuration is the stock configuration for a redhat 9 apache server.

subversion conf file:
I have tried with and without the LimitExcept clause
I can do a list of the repos if I comment out the "SSLVerifyClient"
directive, but I get no client authentication or authorization!

Kind Regards
Fredrik Svensson

LoadModule dav_module modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
<Location /svn>
   DAV svn
   SVNPath /svnroot/lotta

   # Limit write permission to list of valid users.
   <LimitExcept GET PROPFIND OPTIONS REPORT>
       AuthzSVNAccessFile /var/www/lotta/svn_auth

       SSLVerifyClient require
       SSLVerifyDepth 5
       SSLCACertificateFile conf/ssl.crt/server.crt
       SSLCACertificatePath conf/ssl.crt
       SSLOptions +FakeBasicAuth
       SSLRequireSSL
       AuthName "Lotta Project realm"
       AuthType Basic
       AuthUserFile /var/www/lotta/password
       require valid-user
   </LimitExcept>
</Location>

neon-debug-mask = 511

[qsvefre_at_localhost qsvefre]$ svn list https://lotta.xxx.net/svn
Creating request...
Running request create hooks.
ah_create, for WWW-Authenticate
Request created.
Doing DNS lookup on lotta.xxx.net...
Running pre_send hooks
Not handling session.
Sending request headers:
PROPFIND /svn HTTP/1.1
Host: lotta.xxx.net
User-Agent: SVN/1.0.3 (r9775) neon/0.24.6
Keep-Alive:
Connection: TE, Keep-Alive
TE: trailers
Content-Length: 300
Content-Type: text/xml
Depth: 0

Sending request-line and headers:
Connecting to 192.36.156.114
Doing SSL negotiation.
Chain depth: 1
Match lotta.xxx.net on ...
Identity match: bad
Cert #0:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=SE, ST=NA, L=LUND, O=Ericsson, OU=CPO, CN=lotta.xxx.net/emailAddress=fredrik.svensson.xf@ericsson.se
        Validity
            Not Before: May 24 10:17:03 2004 GMT
            Not After : May 22 10:17:03 2014 GMT
        Subject: C=SE, ST=NA, L=LUND, O=Ericsson, OU=CPO, CN=lotta.xxx.net/emailAddress=fredrik.svensson.xf@ericsson.se
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:dd:99:ba:4f:96:dc:07:a5:02:fa:6c:e3:71:80:
                    11:c2:ef:b3:46:4d:ad:49:23:0e:52:3e:44:31:3f:
                    c4:03:86:12:2f:76:0f:6c:9a:95:67:9b:89:f0:c4:
                    fe:df:72:e3:35:58:63:c8:f1:a7:00:8a:69:b9:b0:
                    79:e0:fe:b1:9b:19:77:42:86:7e:75:0e:a8:bf:91:
                    b9:68:9e:8b:9c:e5:63:50:cf:1f:eb:19:f1:7d:2a:
                    ef:d2:b8:53:3a:c7:55:f9:de:fe:4a:20:ee:90:f0:
                    9b:7a:4e:ef:89:ef:f3:21:93:e2:f5:14:d2:ab:69:
                    51:cf:7a:bc:d7:99:86:7e:d9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
            15:E1:5C:64:D5:CD:CF:1B:CA:33:D2:68:10:C9:7C:D3:E0:27:6F:9A
            X509v3 Authority Key Identifier:
            keyid:15:E1:5C:64:D5:CD:CF:1B:CA:33:D2:68:10:C9:7C:D3:E0:27:6F:9A
            DirName:/C=SE/ST=NA/L=LUND/O=Ericsson/OU=CPO/CN=lotta.xxx.net/emailAddress=fredrik.svensson.xf@ericsson.se
            serial:00

            X509v3 Basic Constraints:
            CA:TRUE
    Signature Algorithm: md5WithRSAEncryption
        0a:6c:6b:0d:b7:b2:7d:99:51:3b:50:6b:de:5d:4e:e2:6d:4a:
        46:50:5b:d7:d7:79:53:d7:53:a6:cd:83:31:a7:a5:65:0d:0c:
        25:99:b6:36:da:0a:05:9d:22:b6:ff:a9:70:83:91:c3:72:5f:
        02:ae:9c:61:a0:ab:df:32:0f:09:73:69:db:36:94:22:bc:59:
        65:3a:39:35:85:a7:74:30:e7:5d:15:32:f9:7e:99:91:fa:7a:
        85:01:fa:f8:54:fe:7a:9c:2b:03:49:61:c7:a1:45:b2:5a:dd:
        74:f7:90:4a:57:53:c8:ee:14:d4:2a:c1:1f:3e:4c:d2:e3:77:
        7b:bb
Match lotta.xxx.net on lotta.xxx.net...
Identity match: good
Verify result: 18 = self signed certificate
Error validating server certificate for 'https://lotta.xxx.net:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: lotta.xxx.net
 - Valid: from May 24 10:17:03 2004 GMT until May 22 10:17:03 2014 GMT
 - Issuer: CPO, Ericsson, LUND, NA, SE
 - Fingerprint: 5e:79:41:19:d2:dd:9e:7b:a5:f5:43:c8:3b:1d:02:71:34:a0:a8:25
(R)eject, accept (t)emporarily or accept (p)ermanently? t
Sending request body...
Body block (300 bytes):
[<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><version-controlled-configuration xmlns="DAV:"/><resourcetype xmlns="DAV:"/><baseline-relative-path xmlns="http://subversion.tigris.org/xmlns/dav/"/><repository-uuid xmlns="http://subversion.tigris.org/xmlns/dav/"/></prop></propfind>]
Request body sent: okay.
Request sent; retry is 0.
Aborted request (-1): Could not read status line
Closing connection.
Connection closed.
Running destroy hooks.
Request ends.
svn: PROPFIND request failed on '/svn'
svn: PROPFIND of '/svn': Could not read status line: SSL error: sslv3 alert unexpected message (https://lotta.xxx.net)
ne_session_destroy called.
ne_session_destroy called.
[qsvefre@localhost qsvefre]$

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon May 24 20:39:04 2004