You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@subversion.apache.org by "Martin v. Löwis" <ma...@v.loewis.de> on 2003/05/12 22:05:37 UTC

SSL renegotiation

It seems I can't get SSL handshake renegotiation to work. In my
httpd.conf, I have

<Location /playground>
  SSLVerifyClient require
  DAV svn
  SVNPath /export/svn/playground

  SVNAutoversioning on
</Location>

i.e. I only require a client certificate for this repository, not for
the entire server. When I activate SSLVerifyClient globally, it works
fine. If I activate it as shown, I get

svn: RA layer request failed
svn: The path was not part of a repository
svn: PROPFIND of /: 405 Method Not Allowed

Setting neon-debug-mask=1023 reveals the following output, among other:

Sending request headers:
PROPFIND /payground HTTP/1.1
...
Doing SSL negotiation.
...
Request sent; retry is 0
[status-line] < HTTP/1.1 405 Method Not Allowed
[hdr] Date: Mon, 12 May 2003 21:30:46 GMT
...
Sending request headers:
PROPFIND / HTTP/1.1
[...]
Request sent; retry is 1
[status-line] < HTTP/1.1 405 Method Not Allowed

My interpretation is that the server, when the client asks for
/playground, offers to renegotiate SSL options. Subversion rejects
this, then the server rejects the request.

Any idea on how I could get this to work, or what else to try?

Regards,
Martin


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: SSL renegotiation

Posted by "Martin v. Löwis" <ma...@v.loewis.de>.

Joe Orton <jo...@manyfish.co.uk> writes:

>   SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"
[...]
> I'd be interested to hear whether that works!

Works fine, thanks! Now I only need to find out how to generate proper
log messages.

Regards,
Martin


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: SSL renegotiation

Posted by "Martin v. Löwis" <ma...@v.loewis.de>.

Joe Orton <jo...@manyfish.co.uk> writes:

> If I understand the code correctly, this will not work properly with the
> current port of mod_ssl to Apache 2.0 - there is a big comment in
> ssl_engine_kernel.c talking about how renegotiations aren't supported
> for requests with bodies. (it talks about POST, but I don't see why it
> wouldn't apply to any request with a body, such as the PROPFIND being
> used here)

I see. So this is not a problem of the svn client not responding to
the renegotiation, but a problem with Apache not offering one. Thanks
for this investigation.

> You might like to try using:
> 
>   SSLVerifyClient optional
[...]
> I'd be interested to hear whether that works!

I will sure try. The downside is that all SSL traffic to that server
will cause a popup to appear asking users what certificate they want
to use, when they really don't need to authenticate for some of the
resources (or will use basic authentication).

Regards,
Martin

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: SSL renegotiation

Posted by Joe Orton <jo...@manyfish.co.uk>.

On Tue, May 13, 2003 at 12:05:37AM +0200, Martin v. Löwis wrote:
> It seems I can't get SSL handshake renegotiation to work. In my
> httpd.conf, I have
> 
> <Location /playground>
>   SSLVerifyClient require
>   DAV svn
>   SVNPath /export/svn/playground
> 
>   SVNAutoversioning on
> </Location>
> 
> i.e. I only require a client certificate for this repository, not for
> the entire server. When I activate SSLVerifyClient globally, it works
> fine. If I activate it as shown, I get
> 
> svn: RA layer request failed
> svn: The path was not part of a repository
> svn: PROPFIND of /: 405 Method Not Allowed

If I understand the code correctly, this will not work properly with the
current port of mod_ssl to Apache 2.0 - there is a big comment in
ssl_engine_kernel.c talking about how renegotiations aren't supported
for requests with bodies. (it talks about POST, but I don't see why it
wouldn't apply to any request with a body, such as the PROPFIND being
used here)

You might like to try using:

  SSLVerifyClient optional

globally, which will always request a client cert during the initial SSL
negotiation, but not care if one isn't presented, and for the protected
location:

  SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"

though using "SSLVerifyClient optional" is known to break the SSL
implementations in some web browsers, if you care about that.

I'd be interested to hear whether that works!

Regards,

joe

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org