[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Accessing SVN repository via Apache and SSL client certificate? Almost there, but something is missing.

From: Phillip Susi <psusi_at_cfl.rr.com>
Date: 2005-05-05 18:43:35 CEST

Did you configure apache to REQUIRE a client cert, or did you set the
client cert to optional?

I think there was an issue I ran into with optional client certificates.
  If you set it to optional on the server as a whole, but then required
for a specific URL, the initial connection is made without a client
certificate, and then the server requests a client certificate when it
gets the PROPFIND request, and I think that the svn client can't handle
the request for a client certificate after the initial handshake.

This issue probably should be entered as a bug in the issue tracker, if
it isn't there already.

Ralph Seichter wrote:
> Hello,
>
> I'm having a hard time configuring SSL client certificate access
> with Subversion 1.1.4 and Apache 2.0.54. I created a certificate
> with OpenSSL, converted it to PKCS 12 and imported it into Mozilla
> Firefox.
>
> Using the browser, I can successfully access the SVN repositories
> with the client certificate present, so I am quite sure that I have
> set up Apache correctly. However, I can't seem to tell the SVN
> client how to use the certificate file. I have addedd the following
> to my 'servers' configuration:
>
> [global]
> ssl-authority-files = /home/user/ca.pem
> ssl-client-cert-file = /home/user/cert.p12
> ssl-client-cert-password = secret
>
> According to the SVN Book section "SSL Certificate Management"
> <http://svnbook.red-bean.com/en/1.1/ch06s04.html#svn-ch-6-sect-4.3.2>
> this should be about all which is required on the client side, but
> SVN keeps complaining:
>
> svn: PROPFIND of '/foobar': Could not read status line: SSL
> error: sslv3 alert unexpected message (https://server.tld)
>
> This is accompanied by the Apache error message
>
> Re-negotiation handshake failed: Not accepted by client!?
>
> which usually indicates that the client does not have a certificate
> available. If I have missed a FAQ or HOWTO, please kindly point me
> to it. Your help is appreciated!
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu May 5 18:44:46 2005

This is an archived mail posted to the Subversion Users mailing list.