[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

HTTPS issue with files over 128K

From: Emmanuel Hislen <emmanuel.hislen_at_marseillenetworks.com>
Date: 2007-08-01 20:40:45 CEST

Hi,

I'm stuck with this issue, I tried both openssl and mod_ssl mailing
lists before trying this list. Got no reply at all on either one.

My issue is fairly simple so I really hope someone else encountered it
and found a solution:

I have a Subversion server running on FC6. From yum:

httpd.i386 2.2.3-5 installed
mod_ssl.i386 1:2.2.3-5 installed
openssl.i686 0.9.8b-8.3.fc6 installed
subversion.i386 1.4.3-2.fc6 installed

My users have issues checking-in large files via HTTPS. They get a "413
Request Entity Too Large".
No such issue with HTTP.

Authentication is basic using LDAP server (same machine as subversion
server).
This is the https log for the error:

[Mon Jul 09 07:01:36 2007] [error] [client xxx.xxx.xxx.xxx] request body
exceeds maximum size for SSL buffer
[Mon Jul 09 07:01:36 2007] [error] [client xxx.xxx.xxx.xxx] could not
buffer message body to allow SSL renegotiation to proceed

Failure happened on a 494KB file.

Now I have already done some homework on this and read somewhere that
this was an SSL issue where the first packet cannot be larger than 128KB
for security reasons (DoS). Now I also read that a workaround was to use
Client Certificates as authentication, and to put the 'SSLVerifyClient'
option inside the Virtual Host section to force renegotiation. I did all
that and at first it seemed to work, I was able to check-in one file
that previously had the issue, but now users are still reporting the
same issue in many cases

In the VirtualHost section of my ssl.conf I have:

<VirtualHost _default_:443>
(...)
<Location /svn-rep>
 SSLVerifyClient require
 SSLOptions +OptRenegotiate
</Location>
(...)
</VirtualHost>

Should I just abandon HTTPS solution and go to svnserve over SSH?????

I would greatly appreciate any suggestion,

Regards,

Emmanuel.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Aug 1 20:39:11 2007

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.