[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Problem with SSL Client auth and libserf

From: Bernd May <bernd_at_net.t-labs.tu-berlin.de>
Date: Mon, 29 Jul 2013 17:04:30 +0200

Hey,

On 26.07.2013 11:14, Lieven Govaerts wrote:> This renegotiation issue
was solved on serf trunk in r2078, details in
> the ticket you opened:
> https://code.google.com/p/serf/issues/detail?id=114
>
> r2078 applies cleanly to the serf 1.3.x branch, so if you can validate
> the fix before I backport it to 1.3.x that'd be much appreciated!

that was fast - thanks alot!
I just recompiled the complete subversion client because my installed
one was built against libserf-v1.2 and would not work with LD_PRELOAD
with the newer 1.3 libserf. Results look fine

bernd@myhost:~$ /usr/local/bin/svn ls https://example.com/svn/testrepos
README

...but...

This only works in an optimal client auth environment, meaning

* The path to the client certificate is specified in ~
/.subversion/servers in the correct section. Otherwise the following
error will occur:

bernd@myhost:~$ /usr/local/bin/svn ls https://example.com/svn/testrepos
subversion/svn/list-cmd.c:383,
subversion/libsvn_client/list.c:578,
subversion/libsvn_client/list.c:368,
subversion/libsvn_client/ra.c:516,
subversion/libsvn_client/ra.c:393,
subversion/libsvn_ra/ra_loader.c:482: (apr_err=120171)
svn: E120171: Unable to connect to a repository at URL
'https://example.com/svn/testrepos'
subversion/libsvn_ra_serf/serf.c:528,
subversion/libsvn_ra_serf/options.c:508,
subversion/libsvn_ra_serf/util.c:814,
subversion/libsvn_ra_serf/util.c:781: (apr_err=120171)
svn: E120171: Error running context: An error occurred during SSL
communication

* The ~/.subversion/servers file is readable, otherwise svn will segfault:

bernd@myhost:~$ /usr/local/bin/svn ls https://example.com/svn/testrepos
svn: warning: W000013: Can't open file
'/home/bernd/.subversion/servers': Permission denied
Segmentation fault

* When having activated the 'ssl-client-cert-file-prompt=yes' option in
the ~/.subversion/config [auth] section one has to provide a certificate
in pkcs12 format. Otherwise, e.g. when using a PEM encoded cert, one
receives this error:

bernd@myhost:~$ /usr/local/bin/svn ls https://example.com/svn/testrepos
Authentication realm: https://example.com:443
Client certificate filename: /home/bernd/workspace/svn/bernd.pem
OpenSSL cert error: 13 104 168
Authentication realm: https://example.com:443
Client certificate filename: /home/bernd/.subversion/certs/bernd.p12
README

I guess all of them need to be reported to the subversion people though.
I assume they are not directly related to libserf.

Thanks again for the fast help, hope to see that fix in downstream
packes soon :) 

-- 
Technische Universität Berlin - FGINET
Bernd May
System Administration
Sekr. TEL 16
Ernst-Reuter-Platz 7
10587 BERLIN
GERMANY
Mobile: 0160/90257737
E-Mail: bernd_at_inet.tu-berlin.de
WWW:    inet.tu-berlin.de

Received on 2013-07-29 17:05:06 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.