Hi Mirko, >From your logs, it definitely appears that the client is being rejected for not presenting the right client certificate with that required DN.
How are you specifying the client cert in Subversion? Is OpenSSL's s_client able to connect to the server with that client cert correctly when SSLRequire directive is present? OpenSSL did introduce some breaking changes in 3.x that we attempted to resolve in 1.3.10, but it's possible something got missed in the process. I'll take a pass to try to reproduce with Debian sid (unstable)... Cheers. -- justin On Sat, Sep 30, 2023 at 8:54 PM Mirko Melis <mirk...@ovunque-si.it> wrote: > Hello, > > I am experiencing issues when trying to use a subversion client = 1.14.2 > (libserf 1.3.10) against an svn server running > > Debian bookworm > apache 2.4.57 > subversion 1.14.2 > openssl 3.0.9 > > with ssl client auth. > > I have now spent about some days searching through old ssl client auth > errors in the openssl issues, subversion maillinglist > > Whenever I use the subversion clients I receive the following error on the > client side > > svn: E170013: Unable to connect to a repository at URL ' > https://studio.ovunque-si.it/svn/ovunque/php/decana-ig/trunk' ( > https://studio.ovunque-si.it/svn/ovunque/php/decana-ig/trunk') > svn: E120171: Errore durante l'esecuzione del contesto: An error occurred > during SSL communication > > after I have recompiled libserf with VERBOSE actived I have this log: > 2134:mirko@idea ~/codici/siti/decana $ svn update > Updating '.': > [2023-10-01T02:44:14.120744+02] outgoing.c: created connection 0x46b7b028 > [2023-10-01T02:44:14.438549+02] buckets/ssl_buckets.c: ssl_encrypt: begin > 8000 > [2023-10-01T02:44:14.438606+02] buckets/ssl_buckets.c: ssl_encrypt: bucket > read 538 bytes; status 0 > [2023-10-01T02:44:14.438616+02] buckets/ssl_buckets.c: --- > OPTIONS /svn/ovunque/php/decana-ig/trunk HTTP/1.1 > Host: studio.ovunque-si.it > User-Agent: SVN/1.14.2 (x86_64-pc-linux-gnu) serf/1.3.10 > Content-Type: text/xml > Connection: keep-alive > Accept-Encoding: gzip > DAV: http://subversion.tigris.org/xmlns/dav/svn/depth ( > http://subversion.tigris.org/xmlns/dav/svn/depth) > DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo ( > http://subversion.tigris.org/xmlns/dav/svn/mergeinfo) > DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops ( > http://subversion.tigris.org/xmlns/dav/svn/log-revprops) > Content-Length: 131 > > <?xml version="1.0" encoding="utf-8"?><D:options > xmlns:D="DAV:"><D:activity-collection-set></D:activity-collection-set></D:options> > -(538)- > [2023-10-01T02:44:14.438731+02] buckets/ssl_buckets.c: SSL_connect:before > SSL initialization > [2023-10-01T02:44:14.439067+02] buckets/ssl_buckets.c: bio_bucket_write > called for 517 bytes > [2023-10-01T02:44:14.439097+02] buckets/ssl_buckets.c: > SSL_connect:SSLv3/TLS write client hello > [2023-10-01T02:44:14.439110+02] buckets/ssl_buckets.c: bio_bucket_read > called for 5 bytes > [2023-10-01T02:44:14.439122+02] buckets/ssl_buckets.c: bio_bucket_read > received 0 bytes (70014) > [2023-10-01T02:44:14.439139+02] buckets/ssl_buckets.c: SSL_connect:error > in SSLv3/TLS write client hello > [2023-10-01T02:44:14.439150+02] buckets/ssl_buckets.c: ssl_encrypt: SSL > write: -1 > [2023-10-01T02:44:14.439169+02] buckets/ssl_buckets.c: ssl_encrypt: SSL > write error: 2 > [2023-10-01T02:44:14.439181+02] buckets/ssl_buckets.c: ssl_encrypt: SSL > write error: 120103 0 > [2023-10-01T02:44:14.439191+02] buckets/ssl_buckets.c: ssl_encrypt read > agg: 120103 70014 0 517 > [2023-10-01T02:44:14.439206+02] buckets/ssl_buckets.c: ssl_encrypt > finished: 120103 517 (8 1 9) > [2023-10-01T02:44:14.446893+02] buckets/ssl_buckets.c: ssl_decrypt: begin > 8000 > [2023-10-01T02:44:14.446934+02] buckets/ssl_buckets.c: bio_bucket_read > called for 5 bytes > [2023-10-01T02:44:14.446944+02] buckets/ssl_buckets.c: bio_bucket_read > waiting: (8 1 9) > [2023-10-01T02:44:14.446956+02] buckets/ssl_buckets.c: bio_bucket_read > received 0 bytes (70014) > [2023-10-01T02:44:14.446967+02] buckets/ssl_buckets.c: SSL_connect:error > in SSLv3/TLS write client hello > [2023-10-01T02:44:14.446995+02] buckets/ssl_buckets.c: ssl_decrypt: read > 3278 bytes (8000); status: 0 > [2023-10-01T02:44:14.447025+02] buckets/ssl_buckets.c: bio_bucket_read > called for 5 bytes > [2023-10-01T02:44:14.447038+02] buckets/ssl_buckets.c: bio_bucket_read > waiting: (8 1 9) > [2023-10-01T02:44:14.447051+02] buckets/ssl_buckets.c: bio_bucket_read > received 5 bytes (0) > [2023-10-01T02:44:14.447065+02] buckets/ssl_buckets.c: bio_bucket_read > called for 122 bytes > [2023-10-01T02:44:14.447075+02] buckets/ssl_buckets.c: bio_bucket_read > received 122 bytes (0) > [2023-10-01T02:44:14.447089+02] buckets/ssl_buckets.c: > SSL_connect:SSLv3/TLS write client hello > [2023-10-01T02:44:14.447638+02] buckets/ssl_buckets.c: bio_bucket_read > called for 5 bytes > [2023-10-01T02:44:14.447655+02] buckets/ssl_buckets.c: bio_bucket_read > received 5 bytes (0) > [2023-10-01T02:44:14.447669+02] buckets/ssl_buckets.c: bio_bucket_read > called for 1 bytes > [2023-10-01T02:44:14.447681+02] buckets/ssl_buckets.c: bio_bucket_read > received 1 bytes (0) > [2023-10-01T02:44:14.447694+02] buckets/ssl_buckets.c: bio_bucket_read > called for 5 bytes > [2023-10-01T02:44:14.447707+02] buckets/ssl_buckets.c: bio_bucket_read > received 5 bytes (0) > [2023-10-01T02:44:14.447717+02] buckets/ssl_buckets.c: bio_bucket_read > called for 27 bytes > [2023-10-01T02:44:14.447730+02] buckets/ssl_buckets.c: bio_bucket_read > received 27 bytes (0) > [2023-10-01T02:44:14.447752+02] buckets/ssl_buckets.c: > SSL_connect:SSLv3/TLS read server hello > [2023-10-01T02:44:14.447772+02] buckets/ssl_buckets.c: bio_bucket_read > called for 5 bytes > [2023-10-01T02:44:14.447785+02] buckets/ssl_buckets.c: bio_bucket_read > received 5 bytes (0) > [2023-10-01T02:44:14.447796+02] buckets/ssl_buckets.c: bio_bucket_read > called for 260 bytes > [2023-10-01T02:44:14.447808+02] buckets/ssl_buckets.c: bio_bucket_read > received 260 bytes (0) > [2023-10-01T02:44:14.447826+02] buckets/ssl_buckets.c: SSL_connect:TLSv1.3 > read encrypted extensions > [2023-10-01T02:44:14.447921+02] buckets/ssl_buckets.c: bio_bucket_read > called for 5 bytes > [2023-10-01T02:44:14.447933+02] buckets/ssl_buckets.c: bio_bucket_read > received 5 bytes (0) > [2023-10-01T02:44:14.447948+02] buckets/ssl_buckets.c: bio_bucket_read > called for 2483 bytes > [2023-10-01T02:44:14.447961+02] buckets/ssl_buckets.c: bio_bucket_read > received 2483 bytes (0) > [2023-10-01T02:44:14.447985+02] buckets/ssl_buckets.c: > SSL_connect:SSLv3/TLS read server certificate request > [2023-10-01T02:44:14.449945+02] buckets/ssl_buckets.c: bio_bucket_read > called for 5 bytes > [2023-10-01T02:44:14.449968+02] buckets/ssl_buckets.c: bio_bucket_read > received 5 bytes (0) > [2023-10-01T02:44:14.449981+02] buckets/ssl_buckets.c: bio_bucket_read > called for 281 bytes > [2023-10-01T02:44:14.449994+02] buckets/ssl_buckets.c: bio_bucket_read > received 281 bytes (0) > [2023-10-01T02:44:14.450016+02] buckets/ssl_buckets.c: > SSL_connect:SSLv3/TLS read server certificate > [2023-10-01T02:44:14.504824+02] buckets/ssl_buckets.c: bio_bucket_read > called for 5 bytes > [2023-10-01T02:44:14.504847+02] buckets/ssl_buckets.c: bio_bucket_read > received 5 bytes (0) > [2023-10-01T02:44:14.504856+02] buckets/ssl_buckets.c: bio_bucket_read > called for 69 bytes > [2023-10-01T02:44:14.504864+02] buckets/ssl_buckets.c: bio_bucket_read > received 69 bytes (70014) > [2023-10-01T02:44:14.504885+02] buckets/ssl_buckets.c: SSL_connect:TLSv1.3 > read server certificate verify > [2023-10-01T02:44:14.505019+02] buckets/ssl_buckets.c: > SSL_connect:SSLv3/TLS read finished > [2023-10-01T02:44:14.505041+02] buckets/ssl_buckets.c: > SSL_connect:SSLv3/TLS write change cipher spec > [2023-10-01T02:44:14.505111+02] buckets/ssl_buckets.c: > SSL_connect:SSLv3/TLS write client certificate > [2023-10-01T02:44:14.505142+02] buckets/ssl_buckets.c: bio_bucket_write > called for 110 bytes > [2023-10-01T02:44:14.505152+02] buckets/ssl_buckets.c: bio_bucket_write > waiting: (0 0 0) > [2023-10-01T02:44:14.505211+02] buckets/ssl_buckets.c: > SSL_connect:SSLv3/TLS write finished > [2023-10-01T02:44:14.505231+02] buckets/ssl_buckets.c: bio_bucket_read > called for 5 bytes > [2023-10-01T02:44:14.505244+02] buckets/ssl_buckets.c: bio_bucket_read > received 0 bytes (70014) > [2023-10-01T02:44:14.505259+02] buckets/ssl_buckets.c: ssl_decrypt: 120171 > 0 9 > [2023-10-01T02:44:14.506678+02] outgoing.c: reset connection 0x46b7b028 > [2023-10-01T02:44:14.506700+02] outgoing.c: cleaning up connection > 0x46b7b028 > [2023-10-01T02:44:14.506712+02] outgoing.c: closed connection 0x46b7b028 > svn: E170013: Unable to connect to a repository at URL ' > https://studio.ovunque-si.it/svn/ovunque/php/decana-ig/trunk' ( > https://studio.ovunque-si.it/svn/ovunque/php/decana-ig/trunk') > svn: E120171: Errore durante l'esecuzione del contesto: An error occurred > during SSL communication > 2135:mirko@idea ~/codici/siti/decana $ > > on server side I receive this error: > > [Sun Oct 01 02:44:14.505491 2023] [ssl:trace4] [pid 2940614] > ssl_engine_io.c(2411): [client 192.168.160.13:57474] OpenSSL: I/O error, > 5 bytes expected to read on BIO#564742779c20 [mem: 564742795d43] > [Sun Oct 01 02:44:14.505577 2023] [ssl:trace4] [pid 2940614] > ssl_engine_io.c(2401): [client 192.168.160.13:57474] OpenSSL: write 24/24 > bytes to BIO#56474277b340 [mem: 56474279d970] (BIO dump follows) > [Sun Oct 01 02:44:14.505588 2023] [ssl:trace7] [pid 2940614] > ssl_engine_io.c(2331): [client 192.168.160.13:57474] > +-------------------------------------------------------------------------+ > [Sun Oct 01 02:44:14.505599 2023] [ssl:trace7] [pid 2940614] > ssl_engine_io.c(2368): [client 192.168.160.13:57474] | 0000: 17 03 03 00 > 13 c8 42 8e-25 51 2e b7 f5 33 b8 49 ......B.%Q...3.I | > [Sun Oct 01 02:44:14.505608 2023] [ssl:trace7] [pid 2940614] > ssl_engine_io.c(2368): [client 192.168.160.13:57474] | 0010: d2 6d 73 85 > 03 1e 82 c2- .ms..... | > [Sun Oct 01 02:44:14.505614 2023] [ssl:trace7] [pid 2940614] > ssl_engine_io.c(2373): [client 192.168.160.13:57474] > +-------------------------------------------------------------------------+ > [Sun Oct 01 02:44:14.505733 2023] [ssl:info] [pid 2940614] [client > 192.168.160.13:57474] AH01998: Connection closed to child 1 with abortive > shutdown (server studio.ovunque-si.it:443) > > If I comment this directives on apache configuraton all works: > SSLVerifyClient require > SSLRequire %{SSL_CLIENT_S_DN_O} in {"***********"} > > Can someone help me? > thanks in advance, > Mirko >
