Hi, I sent this message to the Subversion mailing list, but as there has not been any reply so far and as Neon handles the data transfer anyway, maybe here is the better place to ask...
I tried to upgrade a SVN repository server Apache installation from version 2.0.54 to 2.0.55 today, but it seems like Subversion 1.2.3 (Linux and Windows) can't renegotiate SSL sessions with the new Apache version. The error message is: svn: PROPFIND of '/foobar': Could not read status line: SSL error: sslv3 alert unexpected message (https://server.tld) I have seen this error in Apache 2.0.54 aswell, but the following configuration works without problems: # Works with Apache 2.0.54, but not with Apache 2.0.55 SSLVerifyClient optional <Location /svn> DAV svn SVNParentPath /path/to/reps AuthzSVNAccessFile /path/to/accessfile SSLVerifyClient require SSLUserName SSL_CLIENT_S_DN_CN SSLOptions +StrictRequire </Location> For Apache 2.0.55, the only working configuration I found so far is: # Works with both Apache 2.0.54 and Apache 2.0.55, # but requires client certificates for all services. SSLVerifyClient require <Location /svn> DAV svn SVNParentPath /path/to/reps AuthzSVNAccessFile /path/to/accessfile SSLUserName SSL_CLIENT_S_DN_CN SSLOptions +StrictRequire </Location> The modified SSLVerifyClient settings imply that any client trying to access the server *must* provide a valid client certificate. This is not acceptable, because the machine also serves clients which don't own any certificates (i.e. for Webmail). As I used the same SVN 1.2.3 sources with both Apache versions, it seems to me that recent changes in the Apache SSL session handling are causing trouble. I write this message in the hope that somebody here has found a workaround which allows SVN to work with Apache 2.0.55 as it did with version 2.0.54: SVN access with client certificate only, access to other services without client certificate. Any ideas, apart from "go ask your questions on the Apache mailing lists"? ;-) -- Mit freundlichen Grüßen / Sincerely Dipl. Inform. Ralph Seichter _______________________________________________ neon mailing list neon@webdav.org http://mailman.webdav.org/mailman/listinfo/neon
