You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by "Mads B. Tandrup" <ma...@yahoo.com> on 2006/04/29 15:10:00 UTC
SSL client certificate problem
Hello
I'm not sure if this is a bug in subversion or a 'feature'. But here goes.
I am trying to set up our SSL server to provide access to our SVN repositories. The SSL server hosts our webmail along with other applications.
We would like to authenticate all access to our SVN repositories with client side SSL certificates. On the other hand, we will not require webmail users and the other applications on the SSL server to provide client certificates.
According to the mod_ssl 2.8 documentation, this can be accomplised using the SSLVerifyClient directive (http://www.modssl.org/docs/2.8/ssl_reference.html#ToC17) in a per-directory context.
Our Apache SVN configuration looks like this:
<Location /svn>
DAV svn
SVNParentPath /home/svn/
SVNIndexXSLT "/svnindex.xsl"
SSLVerifyClient require
SSLRequireSSL
AuthType Basic
AuthName "Our company"
Require valid-user
Satisfy All
</Location>
Apart from this the SSL servers general configuration includes SSLCACertificateFile info.
When I access the repository using Firefox or Internet Explore it works fine. The client is required to present a certificate when browsing https://ssl.ourcompany.com/svn/foo, but not https://ssl.ourcompany.com/webmail or other locations on the server. As expected.
But when I try to use SVN to access the repository it says:
svn: PROPFIND request failed on '/svn/foo'
svn: PROPFIND of '/svn/foo': Could not read status line: SSL error: sslv3 alert unexpected message (https://ssl.ourcompany.com)
If I change the apache configuration, such that the overall SSL configuration includes "SSLVerifyClient optional". And removes "SSLVerifyClient require" from the SVN configuration, it works.
But now the webmail prompts the client for an certificate as weel, which I do not want.
My versions are:
On my client:
$ svn --version
svn, version 1.2.3 (r15833)
compiled Dec 4 2005, 03:38:36
$ openssl version
OpenSSL 0.9.8a 11 Oct 2005
And on the SSL server:
$ svn --version
svn, version 1.2.3 (r15833)
compiled Dec 6 2005, 12:08:31
$ openssl version
OpenSSL 0.9.7e 25 Oct 2004
I've tried with TortoiseSVN on a Windows PC with the same result. TortoiseSVN version info is:
TortoiseSVN 1.3.3, Build 6219 - 32 Bit
Subversion 1.3.1,
apr 0.9.7
apr-iconv 0.9.7
apr-utils 0.9.7
berkeley db 4.3.28
neon 0.25.4
OpenSSL 0.9.8a 11 Oct 2005
zlib 1.2.3
Best regards,
Mads B. Tandrup
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: SSL client certificate problem
Posted by "Mads B. Tandrup" <ma...@yahoo.com>.
> > But when I try to use SVN to access the repository it says:
> > svn: PROPFIND request failed on '/svn/foo'
> > svn: PROPFIND of '/svn/foo': Could not read status line: SSL error: sslv3 alert unexpected message (https://ssl.ourcompany.com)
>
> Just a guess: did you tell subversion which client certificate to use?
>
Yes. As I said, when I set "SSLVerifyClient optional" in the Apache configuration SVN works fine (But with undesirable effects on other parts of the SSL server).
> Anyways, it would make troubleshooting and/or reproducing your problem
> easier if you told us the actual svn commands you used.
>
The above output was from a simple "svn up" inside an allready checked out work dir, but "svn co" gives the same output:
First with "SSLVerifyClient optional" in the main SSL configuration:
$ rm -Rf foo
$ svn co https://ssl.ourcompany.com/svn/foo
Authentication realm: https://ssl.ourcompany.com:443
Client certificate filename: mads.tandrup-cert.p12
Passphrase for 'mads.tandrup-cert.p12':
A foo/trunk
[...]
A foo/tags
Checked out revision 2749.
Now with "SSLVerifyClient require" in svn location context:
$ rm -Rf foo
$ svn co https://ssl.ourcompany.com/svn/foo
svn: PROPFIND request failed on '/svn/foo'
svn: PROPFIND of '/svn/foo': Could not read status line: SSL error: sslv3 alert unexpected message (https://ssl.ourcompany.com)
In other words, It doesn't give me the chance to supply a certificate when SSLVerifyClient is set to require as described in my first post.
For me it seems like the svn client gives up when the SSL server asks for an renegotation
Best regards,
Mads B. Tandrup
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: SSL client certificate problem
Posted by Hannes Erven <h....@gmx.at>.
[...]
> But when I try to use SVN to access the repository it says:
> svn: PROPFIND request failed on '/svn/foo'
> svn: PROPFIND of '/svn/foo': Could not read status line: SSL error: sslv3 alert unexpected message (https://ssl.ourcompany.com)
Just a guess: did you tell subversion which client certificate to use?
Anyways, it would make troubleshooting and/or reproducing your problem
easier if you told us the actual svn commands you used.
-hannes
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org