2010/1/12 Andreas Jellinghaus <a...@dungeon.inka.de>: > Hi everyone, > > some of you might notice that you can surf to > https://www.opensc-project.org/ > > but your web browser will give you an error when you go to > https://www.opensc-project.org/svn/opensc/ > > For all projects on opensc-project.org we allow everyone to > access the svn repositories write only. But only about 20 > developers have write access too. Write access is implemented > with x.509 certificates and ssl client authentication. > > The technical background is close to this: everyone can > connect to https port of the web server and not present > a client certificate (the server isn't asking for one). > but if your https request concerns the svn repositories > (/svn/ and below), then the server is configured to > ask "do you want to show me a certificate?". and later > it looks at the request: read-only requests are always > granted, but any write request is only allowed, if a > proper client certificate was presented in the ssl > communication. > > The problem is this: the implementation of this uses a feature > called "renegotiation" - first server and client build the > ssl connection without a client certificate, then the server > changes the existing connection to ask the client, if it > wants to present one (but only if a certain request was > given to the server). > > for that reason subversion only works if compiled with openssl > and not with gnutls - because the gnutls developers didn't implement > renegotiation. > > A security problem with this ssl renegotiation feature was > discovered and the problem is in the protocol, so all complete > implementations of ssl are affected. the quick fix for many > vendors now is this: they disable renegotiation feature, as only > few people use it. > > so if your web browser is up to date, you can no longer surf to > /svn/ on our website with https. but you can still do that without > ssl encryption. > > at least for me subversion still works fine, so no need to change > anything right now.
Subversion also works for me on Debian using https. But it is broken on Mac OS X Snow Leopard. On Debian: $ svn, version 1.6.3 (r38063) compiled Jul 15 2009, 04:55:55 Copyright (C) 2000-2009 CollabNet. Subversion is open source software, see http://subversion.tigris.org/ This product includes software developed by CollabNet (http://www.Collab.Net/). The following repository access (RA) modules are available: * ra_neon : Module for accessing a repository via WebDAV protocol using Neon. - handles 'http' scheme - handles 'https' scheme * ra_svn : Module for accessing a repository using the svn network protocol. - with Cyrus SASL authentication - handles 'svn' scheme * ra_local : Module for accessing a repository on local disk. - handles 'file' scheme * ra_serf : Module for accessing a repository via WebDAV protocol using serf. - handles 'http' scheme - handles 'https' scheme On Snow Leopard: $ svn --version svn, version 1.6.5 (r38866) compiled Oct 16 2009, 02:54:10 Copyright (C) 2000-2009 CollabNet. Subversion is open source software, see http://subversion.tigris.org/ This product includes software developed by CollabNet (http://www.Collab.Net/). The following repository access (RA) modules are available: * ra_neon : Module for accessing a repository via WebDAV protocol using Neon. - handles 'http' scheme - handles 'https' scheme * ra_svn : Module for accessing a repository using the svn network protocol. - handles 'svn' scheme * ra_local : Module for accessing a repository on local disk. - handles 'file' scheme And the error is: $ svn up svn: OPTIONS of 'https://www.opensc-project.org/svn/opensc/trunk': Could not read status line: Secure connection truncated (https://www.opensc-project.org) I tried to update svn to 1.6.6 on Mac using the CollabNet version [1]. But I still have the same error. It is not a _big_ problem for me. But if someone has a solution that would help. Bye, [1] http://www.open.collab.net/collabXchange/apple/overview.html?_=d -- Dr. Ludovic Rousseau _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
