Hi Justin,
Thanks for your reply, I have fixed my problem!
anyway my subversion configuration is:
[groups]
ovunque=studio.ovunque-si.it
# othergroup = repository.blarggitywhoomph.com
# thirdgroup = *.example.com
### Information for the first group:
[ovunque]
ssl-client-cert-file=/home/mirko/documenti/mirko.p12
ssl-client-cert-password=******
ssl-authority-files=/home/mirko/documenti/ovunque.cert
### Information for the second group:
# [othergroup]
[...]
this settings are shared over nfs. In "dadun" (a machine running debian
11) where all working fine when I try to read the pkcs file I obtain
mmk@dadun:~/documenti$ openssl pkcs12 -info -in mirko.p12 -nodes
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
localKeyID: 8C 91 E9 59 3A D5 25 1D 74 F4 1D B3 DC 4A F4 36 4D 57
F9 C0
subject=C = IT, ST = Genova, L = Genova, O = Ovunque srl, CN = mirko,
emailAddress = mirk...@ovunque-si.it
issuer=C = IT, ST = Genova, L = Genova, O = Ovunque srl, CN = Ovunque
srl CA, emailAddress = i...@ovunque-si.it, nsComment = certificato
ovunquino - www.ovunque-si.it
-----BEGIN CERTIFICATE-----
[...]
In "idea" (a machine recently updated to debian 12) with the same
command I obtain
2003:mirko@idea ~/documenti $ openssl pkcs12 -info -in mirko.p12 -nodes
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Error outputting keys and certificates
802BEA32997F0000:error:0308010C:digital envelope
routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:373:Global
default library context, Algorithm (RC2-40-CBC : 0), Properties ()
So, I've recreated the pkcs12 file with the command
openssl pkcs12 -export -in mirko.cert -inkey mirko.chiave -passin
file:mirko.frase -out mirko.p12
and all are working fine also in debian 12
thanks a lot!
Mirko
Il 01/10/23 13:53, Justin Erenkrantz ha scritto:
Hi Mirko,
From your logs, it definitely appears that the client is being rejected for
not presenting the right client certificate with that required DN.
How are you specifying the client cert in Subversion?
Is OpenSSL's s_client able to connect to the server with that client cert
correctly when SSLRequire directive is present?
OpenSSL did introduce some breaking changes in 3.x that we attempted to
resolve in 1.3.10, but it's possible something got missed in the process.
I'll take a pass to try to reproduce with Debian sid (unstable)...
Cheers. -- justin
On Sat, Sep 30, 2023 at 8:54 PM Mirko Melis <mirk...@ovunque-si.it> wrote:
Hello,
I am experiencing issues when trying to use a subversion client = 1.14.2
(libserf 1.3.10) against an svn server running
Debian bookworm
apache 2.4.57
subversion 1.14.2
openssl 3.0.9
with ssl client auth.
I have now spent about some days searching through old ssl client auth
errors in the openssl issues, subversion maillinglist
Whenever I use the subversion clients I receive the following error on the
client side
svn: E170013: Unable to connect to a repository at URL '
https://studio.ovunque-si.it/svn/ovunque/php/decana-ig/trunk' (
https://studio.ovunque-si.it/svn/ovunque/php/decana-ig/trunk')
svn: E120171: Errore durante l'esecuzione del contesto: An error occurred
during SSL communication
after I have recompiled libserf with VERBOSE actived I have this log:
2134:mirko@idea ~/codici/siti/decana $ svn update
Updating '.':
[2023-10-01T02:44:14.120744+02] outgoing.c: created connection 0x46b7b028
[2023-10-01T02:44:14.438549+02] buckets/ssl_buckets.c: ssl_encrypt: begin
8000
[2023-10-01T02:44:14.438606+02] buckets/ssl_buckets.c: ssl_encrypt: bucket
read 538 bytes; status 0
[2023-10-01T02:44:14.438616+02] buckets/ssl_buckets.c: ---
OPTIONS /svn/ovunque/php/decana-ig/trunk HTTP/1.1
Host: studio.ovunque-si.it
User-Agent: SVN/1.14.2 (x86_64-pc-linux-gnu) serf/1.3.10
Content-Type: text/xml
Connection: keep-alive
Accept-Encoding: gzip
DAV: http://subversion.tigris.org/xmlns/dav/svn/depth (
http://subversion.tigris.org/xmlns/dav/svn/depth)
DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo (
http://subversion.tigris.org/xmlns/dav/svn/mergeinfo)
DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops (
http://subversion.tigris.org/xmlns/dav/svn/log-revprops)
Content-Length: 131
<?xml version="1.0" encoding="utf-8"?><D:options
xmlns:D="DAV:"><D:activity-collection-set></D:activity-collection-set></D:options>
-(538)-
[2023-10-01T02:44:14.438731+02] buckets/ssl_buckets.c: SSL_connect:before
SSL initialization
[2023-10-01T02:44:14.439067+02] buckets/ssl_buckets.c: bio_bucket_write
called for 517 bytes
[2023-10-01T02:44:14.439097+02] buckets/ssl_buckets.c:
SSL_connect:SSLv3/TLS write client hello
[2023-10-01T02:44:14.439110+02] buckets/ssl_buckets.c: bio_bucket_read
called for 5 bytes
[2023-10-01T02:44:14.439122+02] buckets/ssl_buckets.c: bio_bucket_read
received 0 bytes (70014)
[2023-10-01T02:44:14.439139+02] buckets/ssl_buckets.c: SSL_connect:error
in SSLv3/TLS write client hello
[2023-10-01T02:44:14.439150+02] buckets/ssl_buckets.c: ssl_encrypt: SSL
write: -1
[2023-10-01T02:44:14.439169+02] buckets/ssl_buckets.c: ssl_encrypt: SSL
write error: 2
[2023-10-01T02:44:14.439181+02] buckets/ssl_buckets.c: ssl_encrypt: SSL
write error: 120103 0
[2023-10-01T02:44:14.439191+02] buckets/ssl_buckets.c: ssl_encrypt read
agg: 120103 70014 0 517
[2023-10-01T02:44:14.439206+02] buckets/ssl_buckets.c: ssl_encrypt
finished: 120103 517 (8 1 9)
[2023-10-01T02:44:14.446893+02] buckets/ssl_buckets.c: ssl_decrypt: begin
8000
[2023-10-01T02:44:14.446934+02] buckets/ssl_buckets.c: bio_bucket_read
called for 5 bytes
[2023-10-01T02:44:14.446944+02] buckets/ssl_buckets.c: bio_bucket_read
waiting: (8 1 9)
[2023-10-01T02:44:14.446956+02] buckets/ssl_buckets.c: bio_bucket_read
received 0 bytes (70014)
[2023-10-01T02:44:14.446967+02] buckets/ssl_buckets.c: SSL_connect:error
in SSLv3/TLS write client hello
[2023-10-01T02:44:14.446995+02] buckets/ssl_buckets.c: ssl_decrypt: read
3278 bytes (8000); status: 0
[2023-10-01T02:44:14.447025+02] buckets/ssl_buckets.c: bio_bucket_read
called for 5 bytes
[2023-10-01T02:44:14.447038+02] buckets/ssl_buckets.c: bio_bucket_read
waiting: (8 1 9)
[2023-10-01T02:44:14.447051+02] buckets/ssl_buckets.c: bio_bucket_read
received 5 bytes (0)
[2023-10-01T02:44:14.447065+02] buckets/ssl_buckets.c: bio_bucket_read
called for 122 bytes
[2023-10-01T02:44:14.447075+02] buckets/ssl_buckets.c: bio_bucket_read
received 122 bytes (0)
[2023-10-01T02:44:14.447089+02] buckets/ssl_buckets.c:
SSL_connect:SSLv3/TLS write client hello
[2023-10-01T02:44:14.447638+02] buckets/ssl_buckets.c: bio_bucket_read
called for 5 bytes
[2023-10-01T02:44:14.447655+02] buckets/ssl_buckets.c: bio_bucket_read
received 5 bytes (0)
[2023-10-01T02:44:14.447669+02] buckets/ssl_buckets.c: bio_bucket_read
called for 1 bytes
[2023-10-01T02:44:14.447681+02] buckets/ssl_buckets.c: bio_bucket_read
received 1 bytes (0)
[2023-10-01T02:44:14.447694+02] buckets/ssl_buckets.c: bio_bucket_read
called for 5 bytes
[2023-10-01T02:44:14.447707+02] buckets/ssl_buckets.c: bio_bucket_read
received 5 bytes (0)
[2023-10-01T02:44:14.447717+02] buckets/ssl_buckets.c: bio_bucket_read
called for 27 bytes
[2023-10-01T02:44:14.447730+02] buckets/ssl_buckets.c: bio_bucket_read
received 27 bytes (0)
[2023-10-01T02:44:14.447752+02] buckets/ssl_buckets.c:
SSL_connect:SSLv3/TLS read server hello
[2023-10-01T02:44:14.447772+02] buckets/ssl_buckets.c: bio_bucket_read
called for 5 bytes
[2023-10-01T02:44:14.447785+02] buckets/ssl_buckets.c: bio_bucket_read
received 5 bytes (0)
[2023-10-01T02:44:14.447796+02] buckets/ssl_buckets.c: bio_bucket_read
called for 260 bytes
[2023-10-01T02:44:14.447808+02] buckets/ssl_buckets.c: bio_bucket_read
received 260 bytes (0)
[2023-10-01T02:44:14.447826+02] buckets/ssl_buckets.c: SSL_connect:TLSv1.3
read encrypted extensions
[2023-10-01T02:44:14.447921+02] buckets/ssl_buckets.c: bio_bucket_read
called for 5 bytes
[2023-10-01T02:44:14.447933+02] buckets/ssl_buckets.c: bio_bucket_read
received 5 bytes (0)
[2023-10-01T02:44:14.447948+02] buckets/ssl_buckets.c: bio_bucket_read
called for 2483 bytes
[2023-10-01T02:44:14.447961+02] buckets/ssl_buckets.c: bio_bucket_read
received 2483 bytes (0)
[2023-10-01T02:44:14.447985+02] buckets/ssl_buckets.c:
SSL_connect:SSLv3/TLS read server certificate request
[2023-10-01T02:44:14.449945+02] buckets/ssl_buckets.c: bio_bucket_read
called for 5 bytes
[2023-10-01T02:44:14.449968+02] buckets/ssl_buckets.c: bio_bucket_read
received 5 bytes (0)
[2023-10-01T02:44:14.449981+02] buckets/ssl_buckets.c: bio_bucket_read
called for 281 bytes
[2023-10-01T02:44:14.449994+02] buckets/ssl_buckets.c: bio_bucket_read
received 281 bytes (0)
[2023-10-01T02:44:14.450016+02] buckets/ssl_buckets.c:
SSL_connect:SSLv3/TLS read server certificate
[2023-10-01T02:44:14.504824+02] buckets/ssl_buckets.c: bio_bucket_read
called for 5 bytes
[2023-10-01T02:44:14.504847+02] buckets/ssl_buckets.c: bio_bucket_read
received 5 bytes (0)
[2023-10-01T02:44:14.504856+02] buckets/ssl_buckets.c: bio_bucket_read
called for 69 bytes
[2023-10-01T02:44:14.504864+02] buckets/ssl_buckets.c: bio_bucket_read
received 69 bytes (70014)
[2023-10-01T02:44:14.504885+02] buckets/ssl_buckets.c: SSL_connect:TLSv1.3
read server certificate verify
[2023-10-01T02:44:14.505019+02] buckets/ssl_buckets.c:
SSL_connect:SSLv3/TLS read finished
[2023-10-01T02:44:14.505041+02] buckets/ssl_buckets.c:
SSL_connect:SSLv3/TLS write change cipher spec
[2023-10-01T02:44:14.505111+02] buckets/ssl_buckets.c:
SSL_connect:SSLv3/TLS write client certificate
[2023-10-01T02:44:14.505142+02] buckets/ssl_buckets.c: bio_bucket_write
called for 110 bytes
[2023-10-01T02:44:14.505152+02] buckets/ssl_buckets.c: bio_bucket_write
waiting: (0 0 0)
[2023-10-01T02:44:14.505211+02] buckets/ssl_buckets.c:
SSL_connect:SSLv3/TLS write finished
[2023-10-01T02:44:14.505231+02] buckets/ssl_buckets.c: bio_bucket_read
called for 5 bytes
[2023-10-01T02:44:14.505244+02] buckets/ssl_buckets.c: bio_bucket_read
received 0 bytes (70014)
[2023-10-01T02:44:14.505259+02] buckets/ssl_buckets.c: ssl_decrypt: 120171
0 9
[2023-10-01T02:44:14.506678+02] outgoing.c: reset connection 0x46b7b028
[2023-10-01T02:44:14.506700+02] outgoing.c: cleaning up connection
0x46b7b028
[2023-10-01T02:44:14.506712+02] outgoing.c: closed connection 0x46b7b028
svn: E170013: Unable to connect to a repository at URL '
https://studio.ovunque-si.it/svn/ovunque/php/decana-ig/trunk' (
https://studio.ovunque-si.it/svn/ovunque/php/decana-ig/trunk')
svn: E120171: Errore durante l'esecuzione del contesto: An error occurred
during SSL communication
2135:mirko@idea ~/codici/siti/decana $
on server side I receive this error:
[Sun Oct 01 02:44:14.505491 2023] [ssl:trace4] [pid 2940614]
ssl_engine_io.c(2411): [client 192.168.160.13:57474] OpenSSL: I/O error,
5 bytes expected to read on BIO#564742779c20 [mem: 564742795d43]
[Sun Oct 01 02:44:14.505577 2023] [ssl:trace4] [pid 2940614]
ssl_engine_io.c(2401): [client 192.168.160.13:57474] OpenSSL: write 24/24
bytes to BIO#56474277b340 [mem: 56474279d970] (BIO dump follows)
[Sun Oct 01 02:44:14.505588 2023] [ssl:trace7] [pid 2940614]
ssl_engine_io.c(2331): [client 192.168.160.13:57474]
+-------------------------------------------------------------------------+
[Sun Oct 01 02:44:14.505599 2023] [ssl:trace7] [pid 2940614]
ssl_engine_io.c(2368): [client 192.168.160.13:57474] | 0000: 17 03 03 00
13 c8 42 8e-25 51 2e b7 f5 33 b8 49 ......B.%Q...3.I |
[Sun Oct 01 02:44:14.505608 2023] [ssl:trace7] [pid 2940614]
ssl_engine_io.c(2368): [client 192.168.160.13:57474] | 0010: d2 6d 73 85
03 1e 82 c2- .ms..... |
[Sun Oct 01 02:44:14.505614 2023] [ssl:trace7] [pid 2940614]
ssl_engine_io.c(2373): [client 192.168.160.13:57474]
+-------------------------------------------------------------------------+
[Sun Oct 01 02:44:14.505733 2023] [ssl:info] [pid 2940614] [client
192.168.160.13:57474] AH01998: Connection closed to child 1 with abortive
shutdown (server studio.ovunque-si.it:443)
If I comment this directives on apache configuraton all works:
SSLVerifyClient require
SSLRequire %{SSL_CLIENT_S_DN_O} in {"***********"}
Can someone help me?
thanks in advance,
Mirko
