[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

SSL client certificate problem

From: Mads B. Tandrup <mads_t_at_yahoo.com>
Date: 2006-04-29 17:10:00 CEST

Hello

I'm not sure if this is a bug in subversion or a 'feature'. But here goes.

I am trying to set up our SSL server to provide access to our SVN repositories. The SSL server hosts our webmail along with other applications.
We would like to authenticate all access to our SVN repositories with client side SSL certificates. On the other hand, we will not require webmail users and the other applications on the SSL server to provide client certificates.
According to the mod_ssl 2.8 documentation, this can be accomplised using the SSLVerifyClient directive (http://www.modssl.org/docs/2.8/ssl_reference.html#ToC17) in a per-directory context.

Our Apache SVN configuration looks like this:
  <Location /svn>
    DAV svn
    SVNParentPath /home/svn/
    SVNIndexXSLT "/svnindex.xsl"
  
    SSLVerifyClient require
    SSLRequireSSL
  
    AuthType Basic
    AuthName "Our company"

    Require valid-user
  
    Satisfy All
  </Location>

Apart from this the SSL servers general configuration includes SSLCACertificateFile info.

When I access the repository using Firefox or Internet Explore it works fine. The client is required to present a certificate when browsing https://ssl.ourcompany.com/svn/foo, but not https://ssl.ourcompany.com/webmail or other locations on the server. As expected.

But when I try to use SVN to access the repository it says:
  svn: PROPFIND request failed on '/svn/foo'
  svn: PROPFIND of '/svn/foo': Could not read status line: SSL error: sslv3 alert unexpected message (https://ssl.ourcompany.com)
 
If I change the apache configuration, such that the overall SSL configuration includes "SSLVerifyClient optional". And removes "SSLVerifyClient require" from the SVN configuration, it works.
But now the webmail prompts the client for an certificate as weel, which I do not want.

My versions are:
On my client:
$ svn --version
svn, version 1.2.3 (r15833)
   compiled Dec 4 2005, 03:38:36

$ openssl version
OpenSSL 0.9.8a 11 Oct 2005

And on the SSL server:
$ svn --version
svn, version 1.2.3 (r15833)
   compiled Dec 6 2005, 12:08:31

$ openssl version
OpenSSL 0.9.7e 25 Oct 2004

I've tried with TortoiseSVN on a Windows PC with the same result. TortoiseSVN version info is:
TortoiseSVN 1.3.3, Build 6219 - 32 Bit
Subversion 1.3.1,
apr 0.9.7
apr-iconv 0.9.7
apr-utils 0.9.7
berkeley db 4.3.28
neon 0.25.4
OpenSSL 0.9.8a 11 Oct 2005
zlib 1.2.3

Best regards,
Mads B. Tandrup
 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sat Apr 29 17:11:15 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.