[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
confirming debian #480041: subversion with libneon-gnutls fails if apach
From: |
Daniel Kahn Gillmor |
Subject: |
confirming debian #480041: subversion with libneon-gnutls fails if apache's SSLVerifyClient optional is set |
Date: |
Thu, 20 Nov 2008 18:01:57 -0500 |
User-agent: |
Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux) |
I just wanted to confirm this problem:
I'm using the current debian testing (on both client and server),
subversion against an https repository hosted by apache with mod_ssl
and mod_svn. The client in these scenarios *does not* have an X.509
certificate at all, but uses username/password authentication instead.
If i set up the apache mod_svn authentication like this:
AuthType Basic
AuthName "foo"
AuthUserFile /srv/etc/htpasswd
Require valid-user
Then a simple svn co works (i get prompted for a username/password if
none is cached, or it just connects if the authentication credentials
are already cached).
However, if i switch the authentication to:
AuthType Basic
AuthName "foo"
AuthUserFile /srv/etc/htpasswd
SSLVerifyClient optional
SSLVerifyDepth 1
SSLUserName SSL_CLIENT_S_DN_CN
Require valid-user
Then a checkout fails with:
[0 address@hidden ~]$ svn co https://foo.example.org/svn/monkey/trunk/gorilla
svn: OPTIONS of 'https://foo.example.org/svn/monkey/trunk/gorilla': Could not
read status line: SSL error: Rehandshake was requested by the peer.
(https://foo.example.org)
[1 address@hidden ~]$
On the client side:
[0 address@hidden ~]$ dpkg -l libsvn1 libneon27-gnutls libgnutls26 subversion
libtasn1-3
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii libgnutls26 2.6.2-1 the GNU TLS library - runtime library
ii libneon27-gnut 0.28.2-5 An HTTP and WebDAV client library (GnuTLS en
ii libsvn1 1.5.1dfsg1-1 Shared libraries used by Subversion
ii libtasn1-3 1.4-1 Manage ASN.1 structures (runtime)
ii subversion 1.5.1dfsg1-1 Advanced version control system
[0 address@hidden ~]$
on the server side:
foo:/# dpkg -l apache2-mpm-worker libapache2-svn libssl0.9.8
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii apache2-mpm-wo 2.2.9-10 Apache HTTP Server - high speed threaded mod
ii libapache2-svn 1.5.1dfsg1-1 Subversion server modules for Apache
ii libssl0.9.8 0.9.8g-14 SSL shared libraries
foo:/#
If i leave the server configured with SSLVerifyClient optional, i can
make svn work by doing the following as the superuser (thanks to
Krystian Bacławski for the suggestion):
cd /usr/lib
rm libneon-gnutls.so.27
ln -s libneon.so.27 libneon-gnutls.so.27
In that case, svn (indirectly hooked via libneon into OpenSSL instead
of gnutls) prompts me for a choice of certificate about 6 times, and
then goes ahead and authenticates me via username/password.
So this is clearly either a problem with libneon-gnutls, or with
gnutls itself.
I see the same problem whether i'm using libgnutls26 2.4.2-3 (from
lenny) or 2.6.2-1 (from experimental).
--dkg
pgptMTgujh9ye.pgp
Description: PGP signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- confirming debian #480041: subversion with libneon-gnutls fails if apache's SSLVerifyClient optional is set,
Daniel Kahn Gillmor <=