[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

SSL/Certificate Problem

From: <Steve.Craft_at_sungard.com>
Date: 2006-05-23 21:51:09 CEST

I have Svn 1.3.1 front-ended by Apache. Server and all clients are Win32.

Using HTTP to access repositories works fine. I set up client-side
certificate authentication in Apache. HTTPS GET to browse the repository
works fine (client browser is prompted for certificate and password).
However, HTTPS connectivity from SVN (WebDAV) is not working. Here is a

e:\>svn co --no-auth-cache https://myserver/svn/testproj/branches/pjtest .

Error validating server certificate for 'https://myserver:443':

 - The certificate is not issued by a trusted authority. Use the

   fingerprint to validate the certificate manually!

Certificate information:

 - Hostname: myserver

 - Valid: from May 11 13:36:30 2006 GMT until Dec 14 13:36:30 2025 GMT

 - Issuer: [removed]

 - Fingerprint: ee:ee:ee:ee:ee:ee:ee:ee:ee:ee:ee:ee:ee:ee:ee:ee:ee:ee:ee:ee

(R)eject or accept (t)emporarily? t

svn: PROPFIND request failed on '/svn/testproj/branches/pjtest'

svn: PROPFIND of '/svn/testproj/branches/pjtest': Could not read status
line: SSL error: sslv3 alert unexpected message (https://myserver)

A portion of Apache's ssl.conf that matters looks like this:

<Location /svn>

 SSLVerifyClient optional

 SSLVerifyDepth 1

 SSLOptions +OptRenegotiate

 DAV svn

 SVNParentPath "e:/repos"

 SVNIndexXSLT "/svnindex.xsl"

 AuthName "Repositories"

 AuthType Basic

 Require valid-user

 AuthUserFile "C:/Program Files/Apache Group/Apache2/conf/users.txt"

 AuthzSVNAccessFile "C:/Program Files/Apache Group/Apache2/conf/access.txt"


The portion of the c:\documents and settings\all users\subversion\servers
that matters looks like this:

neon-debug-mask = 130

ssl-authority-files = "C:/Documents and

ssl-client-cert-file = "C:/Documents and

ssl-client-cert-password = "maskedofcourse"

http-compression = no

store-passwords = no

store-auth-creds = no

I don't see any revealing debug output, it seems that my trustedca.crt file
is not being used.

The Apache error.log says:

[Tue May 23 15:29:28 2006] [error] Re-negotiation handshake failed: Not
accepted by client!?

The Apache sslrequest.log says: - - [23/May/2006:15:29:28 -0400] "PROPFIND
/svn/testproj/branches/pjtest HTTP/1.1" 403 -


To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue May 23 21:52:59 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.