Subversion + Apache + Mac OS X + Content Renegociation Security Update
From: Yvan BARTHÉLEMY <ybarthelemy_at_free.fr>
Date: Tue, 13 Apr 2010 00:37:17 +0200 (CEST)
Hi,
Since I've updated to the latest Apple Security Update (http://support.apple.com/kb/HT4004), I cannot use client certificates the way I did before.
In my Apache setup, any user can browse using https without being authenticated, but they should be authenticated to commit to subversion repositories or to access some secured applications. I've implemented this using the Location directive in my Apache configuration and SSLVerifyClient Optional.
After the update, the secured areas cannot be accessed.
To fix the problem, I've updated OpenSSL to 1.0.0 and Apache to 2.2.15 (in fact, recompiling mod_ssl would probably have been sufficient). I used SSLInsecureRenegotiation directive to allow older clients accessing secured areas.
Doing this allows me to run a browser and authenticate using client certificates, but subversion does not.
When I issue any command, svn hangs and I got the following message when I interrupt the process:
If I set SSLVerifyClient require for the whole SSL vhost, svn is able to checkout and commit.
Running otool -L /usr/bin/svn indicated that svn was linking explicitely against /usr/lib/libssl.0.9.7.dylib rather than the latest avaiblable, if I force svn using 1.0.0 using a symlink, I can checkout, but I have the following when committing:
What should I do to have svn able to commit with this setup ?
Here is the svn I'm using (this is the one provided by Apple with Mac OS X 10.5.8):
Thanks,
|
This is an archived mail posted to the Subversion Users mailing list.
This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.