[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

SSL session renegotiation fails after updating Apache 2.0.54 to 2.0.55

From: Ralph Seichter <subversion-ml_at_sentries.org>
Date: 2005-10-14 16:16:22 CEST

Hi,

I tried to upgrade a SVN repository server Apache installation from
version 2.0.54 to 2.0.55 today, but it seems like Subversion 1.2.3
(Linux and Windows) can't renegotiate SSL sessions with the new Apache
version. The error message is:

   svn: PROPFIND of '/foobar': Could not read status line: SSL
   error: sslv3 alert unexpected message (https://server.tld)

I have seen this error in Apache 2.0.54 aswell, but the following
configuration works without problems:

   # Works with Apache 2.0.54, but not with Apache 2.0.55
   SSLVerifyClient optional
   <Location /svn>
     DAV svn
     SVNParentPath /path/to/reps
     AuthzSVNAccessFile /path/to/accessfile
     SSLVerifyClient require
     SSLUserName SSL_CLIENT_S_DN_CN
     SSLOptions +StrictRequire
   </Location>

For Apache 2.0.55, the only working configuration I found so far is:

   # Works with both Apache 2.0.54 and Apache 2.0.55,
   # but requires client certificates for all services.
   SSLVerifyClient require
   <Location /svn>
     DAV svn
     SVNParentPath /path/to/reps
     AuthzSVNAccessFile /path/to/accessfile
     SSLUserName SSL_CLIENT_S_DN_CN
     SSLOptions +StrictRequire
   </Location>

The modified SSLVerifyClient settings imply that any client trying to
access the server *must* provide a valid client certificate. This is
not acceptable, because the machine also serves clients which don't
own any certificates (i.e. for Webmail).

As I used the same SVN 1.2.3 sources with both Apache versions, it
seems to me that recent changes in the Apache SSL session handling are
causing trouble. I write this message in the hope that somebody here
has found a workaround which allows SVN to work with Apache 2.0.55 as
it did with version 2.0.54: SVN access with client certificate only,
access to other services without client certificate.

Any ideas, apart from "go ask your questions on the Apache mailing
lists"? ;-) 

-- 
Mit freundlichen Grüßen / Sincerely
Dipl. Inform. Ralph Seichter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Oct 14 16:20:33 2005

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.