confirming debian #480041: subversion with libneon-gnutls fails if apache's SSLVerifyClient optional is set
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Nov 21 00:01:57 CET 2008
I just wanted to confirm this problem:
I'm using the current debian testing (on both client and server),
subversion against an https repository hosted by apache with mod_ssl
and mod_svn. The client in these scenarios *does not* have an X.509
certificate at all, but uses username/password authentication instead.
If i set up the apache mod_svn authentication like this:
AuthType Basic
AuthName "foo"
AuthUserFile /srv/etc/htpasswd
Require valid-user
Then a simple svn co works (i get prompted for a username/password if
none is cached, or it just connects if the authentication credentials
are already cached).
However, if i switch the authentication to:
AuthType Basic
AuthName "foo"
AuthUserFile /srv/etc/htpasswd
SSLVerifyClient optional
SSLVerifyDepth 1
SSLUserName SSL_CLIENT_S_DN_CN
Require valid-user
Then a checkout fails with:
[0 dkg at squeak ~]$ svn co https://foo.example.org/svn/monkey/trunk/gorilla
svn: OPTIONS of 'https://foo.example.org/svn/monkey/trunk/gorilla': Could not read status line: SSL error: Rehandshake was requested by the peer. (https://foo.example.org)
[1 dkg at squeak ~]$
On the client side:
[0 dkg at squeak ~]$ dpkg -l libsvn1 libneon27-gnutls libgnutls26 subversion libtasn1-3
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii libgnutls26 2.6.2-1 the GNU TLS library - runtime library
ii libneon27-gnut 0.28.2-5 An HTTP and WebDAV client library (GnuTLS en
ii libsvn1 1.5.1dfsg1-1 Shared libraries used by Subversion
ii libtasn1-3 1.4-1 Manage ASN.1 structures (runtime)
ii subversion 1.5.1dfsg1-1 Advanced version control system
[0 dkg at squeak ~]$
on the server side:
foo:/# dpkg -l apache2-mpm-worker libapache2-svn libssl0.9.8
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii apache2-mpm-wo 2.2.9-10 Apache HTTP Server - high speed threaded mod
ii libapache2-svn 1.5.1dfsg1-1 Subversion server modules for Apache
ii libssl0.9.8 0.9.8g-14 SSL shared libraries
foo:/#
If i leave the server configured with SSLVerifyClient optional, i can
make svn work by doing the following as the superuser (thanks to
Krystian Bacławski for the suggestion):
cd /usr/lib
rm libneon-gnutls.so.27
ln -s libneon.so.27 libneon-gnutls.so.27
In that case, svn (indirectly hooked via libneon into OpenSSL instead
of gnutls) prompts me for a choice of certificate about 6 times, and
then goes ahead and authenticates me via username/password.
So this is clearly either a problem with libneon-gnutls, or with
gnutls itself.
I see the same problem whether i'm using libgnutls26 2.4.2-3 (from
lenny) or 2.6.2-1 (from experimental).
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: </pipermail/attachments/20081120/cd11d9dd/attachment.pgp>
More information about the Gnutls-devel
mailing list