You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Emmanuel Hislen <em...@marseillenetworks.com> on 2007/08/01 18:40:45 UTC
HTTPS issue with files over 128K
Hi,
I'm stuck with this issue, I tried both openssl and mod_ssl mailing
lists before trying this list. Got no reply at all on either one.
My issue is fairly simple so I really hope someone else encountered it
and found a solution:
I have a Subversion server running on FC6. From yum:
httpd.i386 2.2.3-5 installed
mod_ssl.i386 1:2.2.3-5 installed
openssl.i686 0.9.8b-8.3.fc6 installed
subversion.i386 1.4.3-2.fc6 installed
My users have issues checking-in large files via HTTPS. They get a "413
Request Entity Too Large".
No such issue with HTTP.
Authentication is basic using LDAP server (same machine as subversion
server).
This is the https log for the error:
[Mon Jul 09 07:01:36 2007] [error] [client xxx.xxx.xxx.xxx] request body
exceeds maximum size for SSL buffer
[Mon Jul 09 07:01:36 2007] [error] [client xxx.xxx.xxx.xxx] could not
buffer message body to allow SSL renegotiation to proceed
Failure happened on a 494KB file.
Now I have already done some homework on this and read somewhere that
this was an SSL issue where the first packet cannot be larger than 128KB
for security reasons (DoS). Now I also read that a workaround was to use
Client Certificates as authentication, and to put the 'SSLVerifyClient'
option inside the Virtual Host section to force renegotiation. I did all
that and at first it seemed to work, I was able to check-in one file
that previously had the issue, but now users are still reporting the
same issue in many cases
In the VirtualHost section of my ssl.conf I have:
<VirtualHost _default_:443>
(...)
<Location /svn-rep>
SSLVerifyClient require
SSLOptions +OptRenegotiate
</Location>
(...)
</VirtualHost>
Should I just abandon HTTPS solution and go to svnserve over SSH?????
I would greatly appreciate any suggestion,
Regards,
Emmanuel.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: HTTPS issue with files over 128K
Posted by Emmanuel Hislen <em...@marseillenetworks.com>.
Yes it does. I had looked at this before, but reading it again I saw
where my problem is.
The solution is to put the SSLVerifyClient in the VirtualHost section,
which I had, excepted it was nested in a <Location> subsection instead
of being at the top level.
That was my problem, duh...
Thanks so much!
Emmanuel.
Rainer Sokoll wrote:
> On Wed, Aug 01, 2007 at 11:40:45AM -0700, Emmanuel Hislen wrote:
>
>
>> <VirtualHost _default_:443>
>> (...)
>> <Location /svn-rep>
>> SSLVerifyClient require
>> SSLOptions +OptRenegotiate
>> </Location>
>> (...)
>> </VirtualHost>
>>
>
> Does http://issues.apache.org/bugzilla/show_bug.cgi?id=39154 match here?
>
> Rainer
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: HTTPS issue with files over 128K
Posted by Rainer Sokoll <R....@intershop.de>.
On Wed, Aug 01, 2007 at 11:40:45AM -0700, Emmanuel Hislen wrote:
> <VirtualHost _default_:443>
> (...)
> <Location /svn-rep>
> SSLVerifyClient require
> SSLOptions +OptRenegotiate
> </Location>
> (...)
> </VirtualHost>
Does http://issues.apache.org/bugzilla/show_bug.cgi?id=39154 match here?
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org