I don't want to get off on a rant here, but....

Avatar

Technology, Programming, Complaints, etc.

Articles from the year 2012

mod_ssl attacking Subversion clients, demanding client certificates

Over the weekend upgraded to Subversion 1.7.2, Apache 2.2.21 (which contains mod_ssl 2.2.21).  Everything worked great browsing the repository from a browser.  Problems started as soon as svn command line or TortoiseSVN were used.  Client Certificate prompts all over the place, sometimes cancelling worked, sometimes it caused the attempt to fail, general annoyance and stupidity across the board.

Verified 100 times that "SSLVerifyClient none" was set, moved it to vhost and directory levels as well, no dice.  I could break browser access by setting it to require.  Nothing worked to config it away, so I put back the old 2.2.15 mod_ssl file and bam, everything works like a charm again.  It looks like there were some recent mod_ssl changes around optional at the server level prevented required at a lower level... it seems this went too far for some clients.  Since 2.2.21 has been in the wild for a long time I'm guessing this only impacts the SVN HTTP library, since browsers work fine, and that would have caused a whole lot of rioting on the internet if browsers broke from the change.