Bug#327269: apache2 security update breaks ssl+svn
On Friday 09 September 2005 10:58, R. Mattes wrote: > After reading the initial bug report I checked with my upgraded SVN > servers (no client certs involved). "Fresh" checkouts seem to work > flawless but checkouts from user accounts that had allready checked > out from the server hang. Doing a 'svn co --no-auth-cache' from these > accounts seems to have fixed the problem (i.e. afterwards checkouts > work even without the '--no-auth-cache' option). Maybe there's a problem > with SVNs cert cache? I had tried something similar: I had deleted the .subversion/auth/ directory, but it didn't help. I can try that option tomorrow, but I guess it won't help either. Regards, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#327269: apache2 security update breaks ssl+svn
On Fri, 2005-09-09 at 10:37 +1000, Adam Conrad wrote: > Andreas Jellinghaus wrote: > > >Package: apache2 > >Version: 2.0.54-5 > >Severity: critical > > > >After upgrading 2.0.54-4 to 2.0.54-5 svn+ssl is broken: > > > >subversion client (e.g. checkout): > >svn: PROPFIND request failed on '/svn/test' > >svn: PROPFIND of '/svn/test': Could not read status line: SSL error: sslv3 > >alert unexpected message (https://www.opensc.org) > > > >apache error log: > >[Thu Sep 08 20:47:39 2005] [error] Re-negotiation handshake failed: Not > >accepted by client!? > > > >downgrade to 2.0.54-4 and everything is fine again. > > > >debian gnu linux / sarge / kernel 2.6.11.11 vanilla, i386, > >apache2 on 80 and 443, ssl with self signed certificate, > >accepting a list of self signed certificates, svn repository > >needs those for write access only. > > > >more configuration and any detail you need available on request. > > > > > I would like a tarball of your /etc/apache2/, if that's not too much > inconvenience. I suspect a combination of a longstanding subversion bug > and a (mis)configuration of apache2 are biting you, and the recent > apache2 bugfix just exposed the issue. I need to see how you have your > sites set up to confirm this, though. After reading the initial bug report I checked with my upgraded SVN servers (no client certs involved). "Fresh" checkouts seem to work flawless but checkouts from user accounts that had allready checked out from the server hang. Doing a 'svn co --no-auth-cache' from these accounts seems to have fixed the problem (i.e. afterwards checkouts work even without the '--no-auth-cache' option). Maybe there's a problem with SVNs cert cache? HTH Ralf Mattes > ... Adam > > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#327269: apache2 security update breaks ssl+svn
Hi Adam, > Could you try, for curiosity's sake, setting "SSLVerifyClient none" in > the main VirtualHost, and keeping the rest the same, and seeing if that > makes a difference for you at all? Done, no change at all. Thanks for looking into this issue. Regards, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#327269: apache2 security update breaks ssl+svn
Andreas Jellinghaus wrote: >On Friday 09 September 2005 02:37, Adam Conrad wrote: > > >>I would like a tarball of your /etc/apache2/ >> >if there is anything else I can do to help, please let me know. > > Meh. Yeah, this is actually a neon or svn (not sure who) bug, where it can't do renogotiations when requested, and our fix for the security hole in apache2 removed a "feature" (that "feature" was the security hole) you were relying on with your configs. I need to set up a test case here and see if there's a good way to do this, so it still works how you want, without fixing neon/svn (which isn't really an option). The bug that you were taking advantage of is that if you had "SSLVerifyClient optional" in your VirtualHost, and "SSLVerifyClient require" in a Location statement, the latter would never be honoured, so I could actually get at your SVN repo by refusing to offer a client cert, and Apache would give me write access. Whoops. We've fixed that, but in fixing that, obviously you've tripped on the above issue. Could you try, for curiosity's sake, setting "SSLVerifyClient none" in the main VirtualHost, and keeping the rest the same, and seeing if that makes a difference for you at all? Over the weekend, I'll set up a test SVN site and follow some codepaths around in mod_ssl and see if there's still a way (short of you using seperate Vhosts for read access and read/write access, which has been considered by many the "most secure" option) to have apache behave the way you'd like it to. ... Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#327269: apache2 security update breaks ssl+svn
Andreas Jellinghaus wrote: >Package: apache2 >Version: 2.0.54-5 >Severity: critical > >After upgrading 2.0.54-4 to 2.0.54-5 svn+ssl is broken: > >subversion client (e.g. checkout): >svn: PROPFIND request failed on '/svn/test' >svn: PROPFIND of '/svn/test': Could not read status line: SSL error: sslv3 >alert unexpected message (https://www.opensc.org) > >apache error log: >[Thu Sep 08 20:47:39 2005] [error] Re-negotiation handshake failed: Not >accepted by client!? > >downgrade to 2.0.54-4 and everything is fine again. > >debian gnu linux / sarge / kernel 2.6.11.11 vanilla, i386, >apache2 on 80 and 443, ssl with self signed certificate, >accepting a list of self signed certificates, svn repository >needs those for write access only. > >more configuration and any detail you need available on request. > > I would like a tarball of your /etc/apache2/, if that's not too much inconvenience. I suspect a combination of a longstanding subversion bug and a (mis)configuration of apache2 are biting you, and the recent apache2 bugfix just exposed the issue. I need to see how you have your sites set up to confirm this, though. ... Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#327269: apache2 security update breaks ssl+svn
Package: apache2 Version: 2.0.54-5 Severity: critical After upgrading 2.0.54-4 to 2.0.54-5 svn+ssl is broken: subversion client (e.g. checkout): svn: PROPFIND request failed on '/svn/test' svn: PROPFIND of '/svn/test': Could not read status line: SSL error: sslv3 alert unexpected message (https://www.opensc.org) apache error log: [Thu Sep 08 20:47:39 2005] [error] Re-negotiation handshake failed: Not accepted by client!? downgrade to 2.0.54-4 and everything is fine again. debian gnu linux / sarge / kernel 2.6.11.11 vanilla, i386, apache2 on 80 and 443, ssl with self signed certificate, accepting a list of self signed certificates, svn repository needs those for write access only. more configuration and any detail you need available on request. Regards, Andreas -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]