Subversion + Apache + Mac OS X + Content Renegociation Security Update

Hi,

Since I've updated to the latest Apple Security Update (http://support.apple.com/kb/HT4004), I cannot use client certificates the way I did before.

In my Apache setup, any user can browse using https without being authenticated, but they should be authenticated to commit to subversion repositories or to access some secured applications. I've implemented this using the Location directive in my Apache configuration and SSLVerifyClient Optional.

After the update, the secured areas cannot be accessed.

To fix the problem, I've updated OpenSSL to 1.0.0 and Apache to 2.2.15 (in fact, recompiling mod_ssl would probably have been sufficient). I used SSLInsecureRenegotiation directive to allow older clients accessing secured areas.

Doing this allows me to run a browser and authenticate using client certificates, but subversion does not.

When I issue any command, svn hangs and I got the following message when I interrupt the process:
> ^Csvn: PROPFIND request failed on '/svn/ybart'
> svn: PROPFIND of '/svn/ybart': Could not read status line: Interrupted system call (https://my-domain.tld)

If I set SSLVerifyClient require for the whole SSL vhost, svn is able to checkout and commit.

Running otool -L /usr/bin/svn indicated that svn was linking explicitely against /usr/lib/libssl.0.9.7.dylib rather than the latest avaiblable, if I force svn using 1.0.0 using a symlink, I can checkout, but I have the following when committing:
> svn: Commit failed (details follow):
> svn: MKACTIVITY of '/svn/ybart/!svn/act/7373cac9-633d-46c2-b0c9-6ec049d52e2e': 403 Forbidden (https://my-domain.tld)

What should I do to have svn able to commit with this setup ?

Here is the svn I'm using (this is the one provided by Apple with Mac OS X 10.5.8):
svn, version 1.4.4 (r25188)
   compiled Sep 28 2009, 16:25:45

Thanks,
Yvan
Received on 2010-04-13 01:29:05 CEST