[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

ssl certificate problem in svn client

From: Jan <janreise_at_yahoo.de>
Date: 2004-08-16 09:09:27 CEST

I have another client certificates problem: I cannot connect to my
https subversion server with my command line svn client when using
client certificates.

What works:
1. connecting from the command line svn client without client
certificates (i.e. without the SSLVerifyClient directive etc. in my
server side dav_svn.conf)
2. connecting from Mozilla firefox *with* client certificates

It might have something to do with client side certificate handling in
~/.subversion/servers, but I have no idea what it might be
specifically. Is there something I need to know about the files in
~/.subversion/auth/?

Thanks in avance for any hints
Jan

---
Software used:
client: svn 1.0.6 with neon 0.24.7 (pre-built package for Mac OS X  
10.3.4 from http://metissian.com/projects/macosx/subversion/)
server: svn 1.0.6. and apache 2.0.48 on debian stable (woody)
---
Client side ~/.subversion/servers:
[groups]
myserver = my.server.org
[myserver]
ssl-client-cert-file = /Users/jan/.sslfiles/jan.p12
[global]
neon-debug-mask=259
ssl-authority-files = /Users/jan/.sslfiles/rootcert.pem
---
The command I've entered:
svn checkout https://my.server.org:443/svn test-repos
---
Apache log:
[Mon Aug 16 07:37:02 2004] [info] Connection to child 0 established  
(server my.server.org:443, client 213.6.94.2)
[Mon Aug 16 07:37:02 2004] [info] Seeding PRNG with 512 bytes of entropy
[Mon Aug 16 07:37:04 2004] [info] Initial (No.1) HTTPS request received  
for child 0 (server my.server.org:443)
[Mon Aug 16 07:37:04 2004] [info] Requesting connection re-negotiation
[Mon Aug 16 07:37:04 2004] [info] Awaiting re-negotiation handshake
[Mon Aug 16 07:37:04 2004] [error] Re-negotiation handshake failed: Not  
accepted by client!?
[Mon Aug 16 07:37:04 2004] [info] Connection to child 0 closed with  
standard shutdown(server my.server.org:443, client 213.6.94.2)
---
Client output using neon-debug-mask=259:
Match Test Root CA on ...
Identity match: bad
Creating request...
Running request create hooks.
Request created.
Doing DNS lookup on my.server.org...
Running pre_send hooks
Sending request headers:
PROPFIND /svn HTTP/1.1
Host: my.server.org:443
User-Agent: SVN/1.0.6 (r10360) neon/0.24.7
Keep-Alive:
Connection: TE, Keep-Alive
TE: trailers
Content-Length: 300
Content-Type: text/xml
Depth: 0
Sending request-line and headers:
Connecting to 216.93.49.152
Doing SSL negotiation.
Chain depth: 2
Match my.server.org on ...
Identity match: bad
Cert #0:
Certificate:
     Data:
         Version: 1 (0x0)
         Serial Number: 1 (0x1)
         Signature Algorithm: md5WithRSAEncryption
         Issuer: O=Test, OU=CA/emailAddress=admin@my.server.org, L=Test,  
ST=Test-State, C=DE, CN=Test Root CA
         Validity
             Not Before: Aug 11 11:18:00 2004 GMT
             Not After : Aug 11 11:18:00 2005 GMT
         Subject: C=DE, ST=Test-State, O=Test, OU=Subversion Server,  
CN=my.server.org
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
                     00:c0:fa:e3:d1:b9:18:45:5c:ed:79:7c:b2:b7:a8:
                     d2:94:21:9e:42:8a:29:09:76:80:d8:78:60:ba:fe:
                     1e:e9:22:ed:41:fb:05:7c:19:a6:18:47:ae:e3:a4:
                     d8:4b:2a:15:81:0c:7c:4a:ef:52:a7:25:d5:3c:18:
                     3d:76:27:15:e9:d4:79:18:21:80:3c:8a:05:44:e5:
                     29:89:e6:bb:de:59:e5:4f:48:cb:26:f5:d0:fd:f7:
                     91:f9:42:36:24:48:cf:33:2f:a4:e2:37:2b:76:fc:
                     74:45:82:38:c2:35:57:f6:31:b9:5a:6e:e0:73:8a:
                     10:f7:06:7e:b2:d6:54:46:af
                 Exponent: 65537 (0x10001)
     Signature Algorithm: md5WithRSAEncryption
         a3:63:68:bb:b2:94:ed:05:91:09:73:72:f7:59:47:47:7f:46:
         15:32:25:97:6b:c3:a0:2d:f9:a0:7e:36:d0:b9:de:e6:ff:4a:
         f8:eb:52:d0:8c:d8:36:76:25:5e:e1:6f:7f:2c:11:84:a8:20:
         86:61:93:9c:ae:ca:e7:31:62:3a:c5:d1:7f:96:9d:03:7f:b0:
         66:13:0f:28:bd:5d:7c:34:fb:93:3f:44:c6:aa:ba:78:49:36:
         ad:7f:6c:be:51:b1:54:89:56:8b:38:ee:33:60:9e:33:ba:1d:
         81:55:b5:f5:21:5d:d8:05:2d:76:66:14:c8:c1:6f:3f:66:f0:
         4c:94
Match Test Root CA on ...
Identity match: bad
Cert #1:
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 0 (0x0)
         Signature Algorithm: md5WithRSAEncryption
         Issuer: O=Test, OU=CA/emailAddress=admin@my.server.org, L=Test,  
ST=Test-State, C=DE, CN=Test Root CA
         Validity
             Not Before: Aug 11 11:08:24 2004 GMT
             Not After : Aug  9 11:08:24 2014 GMT
         Subject: O=Test, OU=CA/emailAddress=admin@my.server.org,  
L=Test, ST=Test-State, C=DE, CN=Test Root CA
         Subject Public Key Info:
             Public Key Algorithm: rsaEncryption
             RSA Public Key: (1024 bit)
                 Modulus (1024 bit):
                     00:ca:c1:59:21:19:40:51:16:f6:33:d0:3b:cb:c9:
                     4a:b7:6d:32:2b:c8:4e:94:4d:9b:b5:c1:6f:35:c2:
                     56:13:bd:87:2e:fc:7b:8e:3d:75:8b:e7:68:c7:1c:
                     7d:6c:30:4f:e5:46:1a:ee:d6:a6:34:ce:68:6d:34:
                     01:36:dd:5d:de:d5:ad:fe:12:97:7a:3a:42:6a:07:
                     c2:f6:a3:de:99:69:71:31:66:f8:cd:64:ef:cf:f7:
                     ad:ea:c4:51:e5:10:65:df:db:01:f7:6e:e0:35:cf:
                     19:0d:f8:5a:1e:51:99:88:72:62:60:4b:c3:c2:fc:
                     6e:21:74:db:6c:fa:c2:d4:29
                 Exponent: 65537 (0x10001)
         X509v3 extensions:
             X509v3 Basic Constraints:
             CA:TRUE
             X509v3 Subject Key Identifier:
             FB:72:2B:2E:A0:9C:28:FE:50:7A:AA:9C:5F:97:F3:BD:47:82:9E:04
             X509v3 Authority Key Identifier:
              
keyid:FB:72:2B:2E:A0:9C:28:FE:50:7A:AA:9C:5F:97:F3:BD:47:82:9E:04
              
DirName:/O=Test/OU=CA/emailAddress=admin@my.server.org/L=Test/ST=Test- 
State/C=DE/CN=Test Root CA
             serial:00
     Signature Algorithm: md5WithRSAEncryption
         3f:21:73:fc:75:e7:6e:4f:05:c6:d9:2c:2f:21:8b:59:a3:01:
         17:fc:c8:bc:7b:9f:6c:f5:a2:97:c2:f1:05:88:24:96:27:32:
         ba:eb:88:79:34:a8:f6:c2:62:d2:8f:59:c0:bc:af:ea:4c:fe:
         47:d2:cd:46:96:60:e1:f0:e0:b0:fd:71:20:db:b4:61:0b:b7:
         b3:27:80:a5:67:1d:80:74:57:2f:d7:a2:c5:2d:57:0a:97:a9:
         1d:d2:bb:6b:5a:b7:9e:7a:5b:90:b8:e5:cf:6c:7d:c7:b3:e8:
         7c:c9:ed:1e:3f:1e:16:fc:42:ac:9b:bd:0e:e3:ba:71:a3:d5:
         d8:bb
Match my.server.org on my.server.org...
Identity match: good
Verify result: 0 = ok
Sending request body...
Request body sent: okay.
Request sent; retry is 0.
Aborted request (-1): Could not read status line
Closing connection.
Connection closed.
Running destroy hooks.
Request ends.
svn: PROPFIND request failed on '/svn'
svn: PROPFIND of '/svn': Could not read status line: SSL error: sslv3  
alert unexpected message (https://my.server.org:443)
ne_session_destroy called.
ne_session_destroy called.
---
dav_svn.conf in the server:
<Location /svn>
   SSLRequireSSL
   DAV svn
   SVNPath /var/subversion/test-repository
   SSLVerifyClient require
   SSLVerifyDepth 1
   SSLCACertificatePath    /etc/apache/private
   SSLCACertificateFile    /etc/apache/private/rootcert.pem
   SSLOptions +FakeBasicAuth
   Require valid-user
   AuthType Basic
   AuthName "Subversion Repository"
   AuthUserFile /etc/apache/svn-access/auth-file
	
   AuthzSVNAccessFile /etc/apache/svn-access/access-file
</Location>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon Aug 16 09:01:15 2004

This is an archived mail posted to the Subversion Users mailing list.