[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Question regarding client certificates

From: Soeren Gerlach <soeren_at_all-about-shift.com>
Date: 2004-10-13 21:20:56 CEST

Hi,

my setup is the following:

* Linux repository using Apache. The repository is accessible only via HTTPS,
  the Server certificate is a regular certificate with a common CA (Trustcenter).

* Additionally the repository has been secured on the apache side using client certificates
  with a "self signed CA" and client certificates created using this CA. This looks like this:
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
<Location /curves>
  DAV svn
  SVNPath /storage/svn/curves

  # Use SSL and require our self signed CA certificates
  SSLRequireSSL
  SSLCACertificateFile /etc/apache2/ssl.crt/quanteam_CA.crt
  SSLVerifyClient require
[...some more stuff on selecting the right certificates only...]
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

 When I try to connect I must present my self signed certificate. The URL itself is then
 crypted using the "correct" server sertificate - which is a different one.

* I'm testing with win as well as Linux clients, 1.0.0 and 1.0.8

The problem is quite simple: I'm not able to access the repository using the client certificate
for authorisation. Just for the first arm waivers ,-)): I've installed the certificate in a
MS IE and checked with and without that the certificate works well - it does, so that's not
the problem: I need to show the right certificate, without that, no way in. What I get back
e.g. if I try just to list the repository is the following:

-------------------------------------------------------------------------
svn: PROPFIND request failed on '/svn/sop_curves'
svn: PROPFIND of '/svn/sop_curves': Could not read status line: SSL error: sslv3
 alert unexpected message (https://www.foobar.com)
-------------------------------------------------------------------------

With full blown debug in neon the communication looks like this:

-------------------------------------------------------------------------
Sending request-line and headers:
Connecting to xxx.xxx.xxx.xxx
Doing SSL negotiation.
Chain depth: 1
Match www.foobar.com on ...
Identity match: bad
Cert #0:
Certificate:

[...now comes the server certificate...]

Match www.foobar.com on www.foobar.com...
Identity match: good
Verify result: 20 = unable to get local issuer certificate
Sending request body...

[...some more stuff, showing and request and error finally...]
-------------------------------------------------------------------------

In my "servers" file I've defined the following lines:

-------------------------------------------------------------------------
[groups]
foobar = www.foobar.com

[foobar]
ssl-client-cert-file = /tmp/soeren.p12
ssl-authority-files = /tmp/quanteam_CA.crt
-------------------------------------------------------------------------

I suppose, this has to do with the fact that the server certificate comes from the Trustcenter CA while the client certificate comes from our own self signed CA ??? This should be no problem as for my understanding but subversion doesn't think the same ,-))) Any hints are quite welcome how to solve this problem.

Thanks,
Soeren Gerlach

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Oct 13 21:21:25 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.