subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yvan BARTH√ČLEMY <ybarthel...@free.fr>
Subject Subversion + Apache + Mac OS X + Content Renegociation Security Update
Date Mon, 12 Apr 2010 22:37:17 GMT
Hi,

Since I've updated to the latest Apple Security Update (http://support.apple.com/kb/HT4004),
I cannot use client certificates the way I did before.

In my Apache setup, any user can browse using https without being authenticated, but they
should be authenticated to commit to subversion repositories or to access some secured applications.
I've implemented this using the Location directive in my Apache configuration and SSLVerifyClient
Optional.

After the update, the secured areas cannot be accessed.

To fix the problem, I've updated OpenSSL to 1.0.0 and Apache to 2.2.15 (in fact, recompiling
mod_ssl would probably have been sufficient). I used SSLInsecureRenegotiation directive to
allow older clients accessing secured areas.

Doing this allows me to run a browser and authenticate using client certificates, but subversion
does not.

When I issue any command, svn hangs and I got the following message when I interrupt the process:
> ^Csvn: PROPFIND request failed on '/svn/ybart'
> svn: PROPFIND of '/svn/ybart': Could not read status line: Interrupted system call (https://my-domain.tld)

If I set SSLVerifyClient require for the whole SSL vhost, svn is able to checkout and commit.

Running otool -L /usr/bin/svn indicated that svn was linking explicitely against /usr/lib/libssl.0.9.7.dylib
rather than the latest avaiblable, if I force svn using 1.0.0 using a symlink, I can checkout,
but I have the following when committing:
> svn: Commit failed (details follow):
> svn: MKACTIVITY of '/svn/ybart/!svn/act/7373cac9-633d-46c2-b0c9-6ec049d52e2e': 403 Forbidden
(https://my-domain.tld)

What should I do to have svn able to commit with this setup ?

Here is the svn I'm using (this is the one provided by Apple with Mac OS X 10.5.8):
svn, version 1.4.4 (r25188)
   compiled Sep 28 2009, 16:25:45

Thanks,
Yvan


Mime
View raw message