I just wanted to confirm this problem: I'm using the current debian testing (on both client and server), subversion against an https repository hosted by apache with mod_ssl and mod_svn. The client in these scenarios *does not* have an X.509 certificate at all, but uses username/password authentication instead.
If i set up the apache mod_svn authentication like this: AuthType Basic AuthName "foo" AuthUserFile /srv/etc/htpasswd Require valid-user Then a simple svn co works (i get prompted for a username/password if none is cached, or it just connects if the authentication credentials are already cached). However, if i switch the authentication to: AuthType Basic AuthName "foo" AuthUserFile /srv/etc/htpasswd SSLVerifyClient optional SSLVerifyDepth 1 SSLUserName SSL_CLIENT_S_DN_CN Require valid-user Then a checkout fails with: [0 [EMAIL PROTECTED] ~]$ svn co https://foo.example.org/svn/monkey/trunk/gorilla svn: OPTIONS of 'https://foo.example.org/svn/monkey/trunk/gorilla': Could not read status line: SSL error: Rehandshake was requested by the peer. (https://foo.example.org) [1 [EMAIL PROTECTED] ~]$ On the client side: [0 [EMAIL PROTECTED] ~]$ dpkg -l libsvn1 libneon27-gnutls libgnutls26 subversion libtasn1-3 Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==============-==============-============================================ ii libgnutls26 2.6.2-1 the GNU TLS library - runtime library ii libneon27-gnut 0.28.2-5 An HTTP and WebDAV client library (GnuTLS en ii libsvn1 1.5.1dfsg1-1 Shared libraries used by Subversion ii libtasn1-3 1.4-1 Manage ASN.1 structures (runtime) ii subversion 1.5.1dfsg1-1 Advanced version control system [0 [EMAIL PROTECTED] ~]$ on the server side: foo:/# dpkg -l apache2-mpm-worker libapache2-svn libssl0.9.8 Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==============-==============-============================================ ii apache2-mpm-wo 2.2.9-10 Apache HTTP Server - high speed threaded mod ii libapache2-svn 1.5.1dfsg1-1 Subversion server modules for Apache ii libssl0.9.8 0.9.8g-14 SSL shared libraries foo:/# If i leave the server configured with SSLVerifyClient optional, i can make svn work by doing the following as the superuser (thanks to Krystian Bacławski for the suggestion): cd /usr/lib rm libneon-gnutls.so.27 ln -s libneon.so.27 libneon-gnutls.so.27 In that case, svn (indirectly hooked via libneon into OpenSSL instead of gnutls) prompts me for a choice of certificate about 6 times, and then goes ahead and authenticates me via username/password. So this is clearly either a problem with libneon-gnutls, or with gnutls itself. I see the same problem whether i'm using libgnutls26 2.4.2-3 (from lenny) or 2.6.2-1 (from experimental). --dkg
pgp96phKWkoJX.pgp
Description: PGP signature
