Ah - great to hear! There might be a better way for us to surface the OpenSSL error (pointing at the outdated crypto algorithm) - in this case that would have saved a bunch of time.
Cheers. — justin On Sun, Oct 1, 2023 at 5:39 PM Mirko Melis <mirk...@ovunque-si.it> wrote: > Hi Justin, > > Thanks for your reply, I have fixed my problem! > > anyway my subversion configuration is: > > > [groups] > > ovunque=studio.ovunque-si.it > > # othergroup = repository.blarggitywhoomph.com > > # thirdgroup = *.example.com > > > > ### Information for the first group: > > [ovunque] > > ssl-client-cert-file=/home/mirko/documenti/mirko.p12 > > ssl-client-cert-password=****** > > ssl-authority-files=/home/mirko/documenti/ovunque.cert > > > > ### Information for the second group: > > # [othergroup] > > [...] > > this settings are shared over nfs. In "dadun" (a machine running debian > 11) where all working fine when I try to read the pkcs file I obtain > > > mmk@dadun:~/documenti$ openssl pkcs12 -info -in mirko.p12 -nodes > > Enter Import Password: > > MAC: sha1, Iteration 2048 > > MAC length: 20, salt length: 8 > > PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 > > Certificate bag > > Bag Attributes > > localKeyID: 8C 91 E9 59 3A D5 25 1D 74 F4 1D B3 DC 4A F4 36 4D 57 > > F9 C0 > > subject=C = IT, ST = Genova, L = Genova, O = Ovunque srl, CN = mirko, > > emailAddress = mirk...@ovunque-si.it > > > > issuer=C = IT, ST = Genova, L = Genova, O = Ovunque srl, CN = Ovunque > > srl CA, emailAddress = i...@ovunque-si.it, nsComment = certificato > > ovunquino - www.ovunque-si.it > > > > -----BEGIN CERTIFICATE----- > > [...] > > In "idea" (a machine recently updated to debian 12) with the same > command I obtain > > > 2003:mirko@idea ~/documenti $ openssl pkcs12 -info -in mirko.p12 -nodes > > Enter Import Password: > > MAC: sha1, Iteration 2048 > > MAC length: 20, salt length: 8 > > PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 > > Error outputting keys and certificates > > 802BEA32997F0000:error:0308010C:digital envelope > > > routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:373:Global > > > default library context, Algorithm (RC2-40-CBC : 0), Properties () > > So, I've recreated the pkcs12 file with the command > > > openssl pkcs12 -export -in mirko.cert -inkey mirko.chiave -passin > > file:mirko.frase -out mirko.p12 > and all are working fine also in debian 12 > > thanks a lot! > > Mirko > > > Il 01/10/23 13:53, Justin Erenkrantz ha scritto: > > Hi Mirko, > > > > From your logs, it definitely appears that the client is being rejected > for > > not presenting the right client certificate with that required DN. > > > > How are you specifying the client cert in Subversion? > > > > Is OpenSSL's s_client able to connect to the server with that client cert > > correctly when SSLRequire directive is present? > > > > OpenSSL did introduce some breaking changes in 3.x that we attempted to > > resolve in 1.3.10, but it's possible something got missed in the process. > > I'll take a pass to try to reproduce with Debian sid (unstable)... > > > > Cheers. -- justin > > > > On Sat, Sep 30, 2023 at 8:54 PM Mirko Melis <mirk...@ovunque-si.it> > wrote: > > > >> Hello, > >> > >> I am experiencing issues when trying to use a subversion client = 1.14.2 > >> (libserf 1.3.10) against an svn server running > >> > >> Debian bookworm > >> apache 2.4.57 > >> subversion 1.14.2 > >> openssl 3.0.9 > >> > >> with ssl client auth. > >> > >> I have now spent about some days searching through old ssl client auth > >> errors in the openssl issues, subversion maillinglist > >> > >> Whenever I use the subversion clients I receive the following error on > the > >> client side > >> > >> svn: E170013: Unable to connect to a repository at URL ' > >> https://studio.ovunque-si.it/svn/ovunque/php/decana-ig/trunk' ( > >> https://studio.ovunque-si.it/svn/ovunque/php/decana-ig/trunk') > >> svn: E120171: Errore durante l'esecuzione del contesto: An error > occurred > >> during SSL communication > >> > >> after I have recompiled libserf with VERBOSE actived I have this log: > >> 2134:mirko@idea ~/codici/siti/decana $ svn update > >> Updating '.': > >> [2023-10-01T02:44:14.120744+02] outgoing.c: created connection > 0x46b7b028 > >> [2023-10-01T02:44:14.438549+02] buckets/ssl_buckets.c: ssl_encrypt: > begin > >> 8000 > >> [2023-10-01T02:44:14.438606+02] buckets/ssl_buckets.c: ssl_encrypt: > bucket > >> read 538 bytes; status 0 > >> [2023-10-01T02:44:14.438616+02] buckets/ssl_buckets.c: --- > >> OPTIONS /svn/ovunque/php/decana-ig/trunk HTTP/1.1 > >> Host: studio.ovunque-si.it > >> User-Agent: SVN/1.14.2 (x86_64-pc-linux-gnu) serf/1.3.10 > >> Content-Type: text/xml > >> Connection: keep-alive > >> Accept-Encoding: gzip > >> DAV: http://subversion.tigris.org/xmlns/dav/svn/depth ( > >> http://subversion.tigris.org/xmlns/dav/svn/depth) > >> DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo ( > >> http://subversion.tigris.org/xmlns/dav/svn/mergeinfo) > >> DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops ( > >> http://subversion.tigris.org/xmlns/dav/svn/log-revprops) > >> Content-Length: 131 > >> > >> <?xml version="1.0" encoding="utf-8"?><D:options > >> > xmlns:D="DAV:"><D:activity-collection-set></D:activity-collection-set></D:options> > >> -(538)- > >> [2023-10-01T02:44:14.438731+02] buckets/ssl_buckets.c: > SSL_connect:before > >> SSL initialization > >> [2023-10-01T02:44:14.439067+02] buckets/ssl_buckets.c: bio_bucket_write > >> called for 517 bytes > >> [2023-10-01T02:44:14.439097+02] buckets/ssl_buckets.c: > >> SSL_connect:SSLv3/TLS write client hello > >> [2023-10-01T02:44:14.439110+02] buckets/ssl_buckets.c: bio_bucket_read > >> called for 5 bytes > >> [2023-10-01T02:44:14.439122+02] buckets/ssl_buckets.c: bio_bucket_read > >> received 0 bytes (70014) > >> [2023-10-01T02:44:14.439139+02] buckets/ssl_buckets.c: SSL_connect:error > >> in SSLv3/TLS write client hello > >> [2023-10-01T02:44:14.439150+02] buckets/ssl_buckets.c: ssl_encrypt: SSL > >> write: -1 > >> [2023-10-01T02:44:14.439169+02] buckets/ssl_buckets.c: ssl_encrypt: SSL > >> write error: 2 > >> [2023-10-01T02:44:14.439181+02] buckets/ssl_buckets.c: ssl_encrypt: SSL > >> write error: 120103 0 > >> [2023-10-01T02:44:14.439191+02] buckets/ssl_buckets.c: ssl_encrypt read > >> agg: 120103 70014 0 517 > >> [2023-10-01T02:44:14.439206+02] buckets/ssl_buckets.c: ssl_encrypt > >> finished: 120103 517 (8 1 9) > >> [2023-10-01T02:44:14.446893+02] buckets/ssl_buckets.c: ssl_decrypt: > begin > >> 8000 > >> [2023-10-01T02:44:14.446934+02] buckets/ssl_buckets.c: bio_bucket_read > >> called for 5 bytes > >> [2023-10-01T02:44:14.446944+02] buckets/ssl_buckets.c: bio_bucket_read > >> waiting: (8 1 9) > >> [2023-10-01T02:44:14.446956+02] buckets/ssl_buckets.c: bio_bucket_read > >> received 0 bytes (70014) > >> [2023-10-01T02:44:14.446967+02] buckets/ssl_buckets.c: SSL_connect:error > >> in SSLv3/TLS write client hello > >> [2023-10-01T02:44:14.446995+02] buckets/ssl_buckets.c: ssl_decrypt: read > >> 3278 bytes (8000); status: 0 > >> [2023-10-01T02:44:14.447025+02] buckets/ssl_buckets.c: bio_bucket_read > >> called for 5 bytes > >> [2023-10-01T02:44:14.447038+02] buckets/ssl_buckets.c: bio_bucket_read > >> waiting: (8 1 9) > >> [2023-10-01T02:44:14.447051+02] buckets/ssl_buckets.c: bio_bucket_read > >> received 5 bytes (0) > >> [2023-10-01T02:44:14.447065+02] buckets/ssl_buckets.c: bio_bucket_read > >> called for 122 bytes > >> [2023-10-01T02:44:14.447075+02] buckets/ssl_buckets.c: bio_bucket_read > >> received 122 bytes (0) > >> [2023-10-01T02:44:14.447089+02] buckets/ssl_buckets.c: > >> SSL_connect:SSLv3/TLS write client hello > >> [2023-10-01T02:44:14.447638+02] buckets/ssl_buckets.c: bio_bucket_read > >> called for 5 bytes > >> [2023-10-01T02:44:14.447655+02] buckets/ssl_buckets.c: bio_bucket_read > >> received 5 bytes (0) > >> [2023-10-01T02:44:14.447669+02] buckets/ssl_buckets.c: bio_bucket_read > >> called for 1 bytes > >> [2023-10-01T02:44:14.447681+02] buckets/ssl_buckets.c: bio_bucket_read > >> received 1 bytes (0) > >> [2023-10-01T02:44:14.447694+02] buckets/ssl_buckets.c: bio_bucket_read > >> called for 5 bytes > >> [2023-10-01T02:44:14.447707+02] buckets/ssl_buckets.c: bio_bucket_read > >> received 5 bytes (0) > >> [2023-10-01T02:44:14.447717+02] buckets/ssl_buckets.c: bio_bucket_read > >> called for 27 bytes > >> [2023-10-01T02:44:14.447730+02] buckets/ssl_buckets.c: bio_bucket_read > >> received 27 bytes (0) > >> [2023-10-01T02:44:14.447752+02] buckets/ssl_buckets.c: > >> SSL_connect:SSLv3/TLS read server hello > >> [2023-10-01T02:44:14.447772+02] buckets/ssl_buckets.c: bio_bucket_read > >> called for 5 bytes > >> [2023-10-01T02:44:14.447785+02] buckets/ssl_buckets.c: bio_bucket_read > >> received 5 bytes (0) > >> [2023-10-01T02:44:14.447796+02] buckets/ssl_buckets.c: bio_bucket_read > >> called for 260 bytes > >> [2023-10-01T02:44:14.447808+02] buckets/ssl_buckets.c: bio_bucket_read > >> received 260 bytes (0) > >> [2023-10-01T02:44:14.447826+02] buckets/ssl_buckets.c: > SSL_connect:TLSv1.3 > >> read encrypted extensions > >> [2023-10-01T02:44:14.447921+02] buckets/ssl_buckets.c: bio_bucket_read > >> called for 5 bytes > >> [2023-10-01T02:44:14.447933+02] buckets/ssl_buckets.c: bio_bucket_read > >> received 5 bytes (0) > >> [2023-10-01T02:44:14.447948+02] buckets/ssl_buckets.c: bio_bucket_read > >> called for 2483 bytes > >> [2023-10-01T02:44:14.447961+02] buckets/ssl_buckets.c: bio_bucket_read > >> received 2483 bytes (0) > >> [2023-10-01T02:44:14.447985+02] buckets/ssl_buckets.c: > >> SSL_connect:SSLv3/TLS read server certificate request > >> [2023-10-01T02:44:14.449945+02] buckets/ssl_buckets.c: bio_bucket_read > >> called for 5 bytes > >> [2023-10-01T02:44:14.449968+02] buckets/ssl_buckets.c: bio_bucket_read > >> received 5 bytes (0) > >> [2023-10-01T02:44:14.449981+02] buckets/ssl_buckets.c: bio_bucket_read > >> called for 281 bytes > >> [2023-10-01T02:44:14.449994+02] buckets/ssl_buckets.c: bio_bucket_read > >> received 281 bytes (0) > >> [2023-10-01T02:44:14.450016+02] buckets/ssl_buckets.c: > >> SSL_connect:SSLv3/TLS read server certificate > >> [2023-10-01T02:44:14.504824+02] buckets/ssl_buckets.c: bio_bucket_read > >> called for 5 bytes > >> [2023-10-01T02:44:14.504847+02] buckets/ssl_buckets.c: bio_bucket_read > >> received 5 bytes (0) > >> [2023-10-01T02:44:14.504856+02] buckets/ssl_buckets.c: bio_bucket_read > >> called for 69 bytes > >> [2023-10-01T02:44:14.504864+02] buckets/ssl_buckets.c: bio_bucket_read > >> received 69 bytes (70014) > >> [2023-10-01T02:44:14.504885+02] buckets/ssl_buckets.c: > SSL_connect:TLSv1.3 > >> read server certificate verify > >> [2023-10-01T02:44:14.505019+02] buckets/ssl_buckets.c: > >> SSL_connect:SSLv3/TLS read finished > >> [2023-10-01T02:44:14.505041+02] buckets/ssl_buckets.c: > >> SSL_connect:SSLv3/TLS write change cipher spec > >> [2023-10-01T02:44:14.505111+02] buckets/ssl_buckets.c: > >> SSL_connect:SSLv3/TLS write client certificate > >> [2023-10-01T02:44:14.505142+02] buckets/ssl_buckets.c: bio_bucket_write > >> called for 110 bytes > >> [2023-10-01T02:44:14.505152+02] buckets/ssl_buckets.c: bio_bucket_write > >> waiting: (0 0 0) > >> [2023-10-01T02:44:14.505211+02] buckets/ssl_buckets.c: > >> SSL_connect:SSLv3/TLS write finished > >> [2023-10-01T02:44:14.505231+02] buckets/ssl_buckets.c: bio_bucket_read > >> called for 5 bytes > >> [2023-10-01T02:44:14.505244+02] buckets/ssl_buckets.c: bio_bucket_read > >> received 0 bytes (70014) > >> [2023-10-01T02:44:14.505259+02] buckets/ssl_buckets.c: ssl_decrypt: > 120171 > >> 0 9 > >> [2023-10-01T02:44:14.506678+02] outgoing.c: reset connection 0x46b7b028 > >> [2023-10-01T02:44:14.506700+02] outgoing.c: cleaning up connection > >> 0x46b7b028 > >> [2023-10-01T02:44:14.506712+02] outgoing.c: closed connection 0x46b7b028 > >> svn: E170013: Unable to connect to a repository at URL ' > >> https://studio.ovunque-si.it/svn/ovunque/php/decana-ig/trunk' ( > >> https://studio.ovunque-si.it/svn/ovunque/php/decana-ig/trunk') > >> svn: E120171: Errore durante l'esecuzione del contesto: An error > occurred > >> during SSL communication > >> 2135:mirko@idea ~/codici/siti/decana $ > >> > >> on server side I receive this error: > >> > >> [Sun Oct 01 02:44:14.505491 2023] [ssl:trace4] [pid 2940614] > >> ssl_engine_io.c(2411): [client 192.168.160.13:57474] OpenSSL: I/O > error, > >> 5 bytes expected to read on BIO#564742779c20 [mem: 564742795d43] > >> [Sun Oct 01 02:44:14.505577 2023] [ssl:trace4] [pid 2940614] > >> ssl_engine_io.c(2401): [client 192.168.160.13:57474] OpenSSL: write > 24/24 > >> bytes to BIO#56474277b340 [mem: 56474279d970] (BIO dump follows) > >> [Sun Oct 01 02:44:14.505588 2023] [ssl:trace7] [pid 2940614] > >> ssl_engine_io.c(2331): [client 192.168.160.13:57474] > >> > +-------------------------------------------------------------------------+ > >> [Sun Oct 01 02:44:14.505599 2023] [ssl:trace7] [pid 2940614] > >> ssl_engine_io.c(2368): [client 192.168.160.13:57474] | 0000: 17 03 03 > 00 > >> 13 c8 42 8e-25 51 2e b7 f5 33 b8 49 ......B.%Q...3.I | > >> [Sun Oct 01 02:44:14.505608 2023] [ssl:trace7] [pid 2940614] > >> ssl_engine_io.c(2368): [client 192.168.160.13:57474] | 0010: d2 6d 73 > 85 > >> 03 1e 82 c2- .ms..... | > >> [Sun Oct 01 02:44:14.505614 2023] [ssl:trace7] [pid 2940614] > >> ssl_engine_io.c(2373): [client 192.168.160.13:57474] > >> > +-------------------------------------------------------------------------+ > >> [Sun Oct 01 02:44:14.505733 2023] [ssl:info] [pid 2940614] [client > >> 192.168.160.13:57474] AH01998: Connection closed to child 1 with > abortive > >> shutdown (server studio.ovunque-si.it:443) > >> > >> If I comment this directives on apache configuraton all works: > >> SSLVerifyClient require > >> SSLRequire %{SSL_CLIENT_S_DN_O} in {"***********"} > >> > >> Can someone help me? > >> thanks in advance, > >> Mirko > >> >
