You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by "Martin v. Löwis" <ma...@v.loewis.de> on 2003/05/12 22:05:37 UTC
SSL renegotiation
It seems I can't get SSL handshake renegotiation to work. In my
httpd.conf, I have
<Location /playground>
SSLVerifyClient require
DAV svn
SVNPath /export/svn/playground
SVNAutoversioning on
</Location>
i.e. I only require a client certificate for this repository, not for
the entire server. When I activate SSLVerifyClient globally, it works
fine. If I activate it as shown, I get
svn: RA layer request failed
svn: The path was not part of a repository
svn: PROPFIND of /: 405 Method Not Allowed
Setting neon-debug-mask=1023 reveals the following output, among other:
Sending request headers:
PROPFIND /payground HTTP/1.1
...
Doing SSL negotiation.
...
Request sent; retry is 0
[status-line] < HTTP/1.1 405 Method Not Allowed
[hdr] Date: Mon, 12 May 2003 21:30:46 GMT
...
Sending request headers:
PROPFIND / HTTP/1.1
[...]
Request sent; retry is 1
[status-line] < HTTP/1.1 405 Method Not Allowed
My interpretation is that the server, when the client asks for
/playground, offers to renegotiate SSL options. Subversion rejects
this, then the server rejects the request.
Any idea on how I could get this to work, or what else to try?
Regards,
Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: SSL renegotiation
Posted by "Martin v. Löwis" <ma...@v.loewis.de>.
Joe Orton <jo...@manyfish.co.uk> writes:
> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
[...]
> I'd be interested to hear whether that works!
Works fine, thanks! Now I only need to find out how to generate proper
log messages.
Regards,
Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: SSL renegotiation
Posted by "Martin v. Löwis" <ma...@v.loewis.de>.
Joe Orton <jo...@manyfish.co.uk> writes:
> If I understand the code correctly, this will not work properly with the
> current port of mod_ssl to Apache 2.0 - there is a big comment in
> ssl_engine_kernel.c talking about how renegotiations aren't supported
> for requests with bodies. (it talks about POST, but I don't see why it
> wouldn't apply to any request with a body, such as the PROPFIND being
> used here)
I see. So this is not a problem of the svn client not responding to
the renegotiation, but a problem with Apache not offering one. Thanks
for this investigation.
> You might like to try using:
>
> SSLVerifyClient optional
[...]
> I'd be interested to hear whether that works!
I will sure try. The downside is that all SSL traffic to that server
will cause a popup to appear asking users what certificate they want
to use, when they really don't need to authenticate for some of the
resources (or will use basic authentication).
Regards,
Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: SSL renegotiation
Posted by Joe Orton <jo...@manyfish.co.uk>.
On Tue, May 13, 2003 at 12:05:37AM +0200, Martin v. Löwis wrote:
> It seems I can't get SSL handshake renegotiation to work. In my
> httpd.conf, I have
>
> <Location /playground>
> SSLVerifyClient require
> DAV svn
> SVNPath /export/svn/playground
>
> SVNAutoversioning on
> </Location>
>
> i.e. I only require a client certificate for this repository, not for
> the entire server. When I activate SSLVerifyClient globally, it works
> fine. If I activate it as shown, I get
>
> svn: RA layer request failed
> svn: The path was not part of a repository
> svn: PROPFIND of /: 405 Method Not Allowed
If I understand the code correctly, this will not work properly with the
current port of mod_ssl to Apache 2.0 - there is a big comment in
ssl_engine_kernel.c talking about how renegotiations aren't supported
for requests with bodies. (it talks about POST, but I don't see why it
wouldn't apply to any request with a body, such as the PROPFIND being
used here)
You might like to try using:
SSLVerifyClient optional
globally, which will always request a client cert during the initial SSL
negotiation, but not care if one isn't presented, and for the protected
location:
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
though using "SSLVerifyClient optional" is known to break the SSL
implementations in some web browsers, if you care about that.
I'd be interested to hear whether that works!
Regards,
joe
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org