tsvn 1.7.7 and later: client certificates: unsupported algorithm nid
935 views
Skip to first unread message
vario fox
Oct 27, 2012, 11:19:20 AM10/27/12
to us...@tortoisesvn.tigris.org
I use an apache 2 server where "require client certificate" is turned on.
The certificates are stored in the windows cert store.
Starting with Tortoise svn version 1.7.7.22907 - 64 Bit I get the following error when connecting to the server requiring client certificates:
Unable to connect to a repository at URL ‘https://…’
OPTIONS of https://….: SSL handshake failed: SSL error: unsupported algorithm nid (https://....)
The Apache error log says
[debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#7fe6db05b860 [mem: 7fe6db06ed73]
[debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate A
[debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate A
[info] [client 92.74.17.94] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[info] [client 92.74.17.94] Connection closed to child 2 with abortive shutdown (server …..:443)
The setup works correctly with TortoiseSVN 1.7.6, Build 22632 - 64 Bit svn, version 1.7.4 (r1295709)
I would really appreciate any help with this issue. I have found other people reporting the same issue. ...
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3023930
To unsubscribe from this discussion, e-mail: [users-un...@tortoisesvn.tigris.org].
The certificates are stored in the windows cert store.
Starting with Tortoise svn version 1.7.7.22907 - 64 Bit I get the following error when connecting to the server requiring client certificates:
Unable to connect to a repository at URL ‘https://…’
OPTIONS of https://….: SSL handshake failed: SSL error: unsupported algorithm nid (https://....)
The Apache error log says
[debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#7fe6db05b860 [mem: 7fe6db06ed73]
[debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate A
[debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate A
[info] [client 92.74.17.94] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[info] [client 92.74.17.94] Connection closed to child 2 with abortive shutdown (server …..:443)
The setup works correctly with TortoiseSVN 1.7.6, Build 22632 - 64 Bit svn, version 1.7.4 (r1295709)
I would really appreciate any help with this issue. I have found other people reporting the same issue. ...
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3023930
To unsubscribe from this discussion, e-mail: [users-un...@tortoisesvn.tigris.org].
Stefan Küng
Oct 28, 2012, 2:36:01 AM10/28/12
to us...@tortoisesvn.tigris.org
On 27.10.2012 17:19, vario fox wrote:
> I use an apache 2 server where "require client certificate" is turned on.
>
> The certificates are stored in the windows cert store.
>
> Starting with Tortoise svn version 1.7.7.22907 - 64 Bit I get the following error when connecting to the server requiring client certificates:
>
> Unable to connect to a repository at URL ‘https://…’
> OPTIONS of https://….: SSL handshake failed: SSL error: unsupported algorithm nid (https://....)
>
> The Apache error log says
> [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#7fe6db05b860 [mem: 7fe6db06ed73]
> [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate A
> [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate A
> [info] [client 92.74.17.94] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
> [info] [client 92.74.17.94] Connection closed to child 2 with abortive shutdown (server …..:443)
>
>
> The setup works correctly with TortoiseSVN 1.7.6, Build 22632 - 64 Bit svn, version 1.7.4 (r1295709)
>
> I would really appreciate any help with this issue. I have found other people reporting the same issue. ...
try switching to serf instead of neon:
> I use an apache 2 server where "require client certificate" is turned on.
>
> The certificates are stored in the windows cert store.
>
> Starting with Tortoise svn version 1.7.7.22907 - 64 Bit I get the following error when connecting to the server requiring client certificates:
>
> Unable to connect to a repository at URL ‘https://…’
> OPTIONS of https://….: SSL handshake failed: SSL error: unsupported algorithm nid (https://....)
>
> The Apache error log says
> [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#7fe6db05b860 [mem: 7fe6db06ed73]
> [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate A
> [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate A
> [info] [client 92.74.17.94] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
> [info] [client 92.74.17.94] Connection closed to child 2 with abortive shutdown (server …..:443)
>
>
> The setup works correctly with TortoiseSVN 1.7.6, Build 22632 - 64 Bit svn, version 1.7.4 (r1295709)
>
> I would really appreciate any help with this issue. I have found other people reporting the same issue. ...
http://tortoisesvn.net/faq.html#useserf
maybe that will help.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3023986
vario fox
Oct 28, 2012, 4:45:39 AM10/28/12
to us...@tortoisesvn.tigris.org
Hi Stefan,
thanks for your suggestion and the great work in general. But no luck :-(
With TortoiseSVN-1.7.10.23359-x64-svn-1.7.7 using [global] http-library = serf I get the following error:
Unable to connect to a repository at URL 'https:.....'
Error running context: APR does not understand this error code
Apache log reports the same as with the default neon library:
[debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f3714ad3940 [mem: 7f3714c7ecc3]
[info] [client 188.99.183.144] Connection closed to child 0 with abortive shutdown (server vtx.ath.cx:443)
With TortoiseSVN-1.7.6.22632-x64-svn-1.7.4 using [global] http-library = serf it works.
TortoiseSVN-1.7.6.22632-x64-svn-1.7.4 also works with the default neon.
Do you need me to go testing through the other versions?
Vario
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3024002
thanks for your suggestion and the great work in general. But no luck :-(
With TortoiseSVN-1.7.10.23359-x64-svn-1.7.7 using [global] http-library = serf I get the following error:
Unable to connect to a repository at URL 'https:.....'
Error running context: APR does not understand this error code
Apache log reports the same as with the default neon library:
[debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f3714ad3940 [mem: 7f3714c7ecc3]
[debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate A
[debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate A
[info] [client 188.99.183.144] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate A
[info] [client 188.99.183.144] Connection closed to child 0 with abortive shutdown (server vtx.ath.cx:443)
With TortoiseSVN-1.7.6.22632-x64-svn-1.7.4 using [global] http-library = serf it works.
TortoiseSVN-1.7.6.22632-x64-svn-1.7.4 also works with the default neon.
Do you need me to go testing through the other versions?
Vario
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3024002
Stefan Küng
Oct 28, 2012, 8:48:50 AM10/28/12
to us...@tortoisesvn.tigris.org
On 28.10.2012 09:45, vario fox wrote:
> Hi Stefan,
>
> thanks for your suggestion and the great work in general. But no luck :-(
>
>
> With TortoiseSVN-1.7.10.23359-x64-svn-1.7.7 using [global] http-library = serf I get the following error:
>
> Unable to connect to a repository at URL 'https:.....'
> Error running context: APR does not understand this error code
>
> Apache log reports the same as with the default neon library:
>
> [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f3714ad3940 [mem: 7f3714c7ecc3]
> [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate A
> [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate A
> [info] [client 188.99.183.144] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
> [info] [client 188.99.183.144] Connection closed to child 0 with abortive shutdown (server vtx.ath.cx:443)
>
>
>
> With TortoiseSVN-1.7.6.22632-x64-svn-1.7.4 using [global] http-library = serf it works.
> TortoiseSVN-1.7.6.22632-x64-svn-1.7.4 also works with the default neon.
>
> Do you need me to go testing through the other versions?
I don't think that would help.
> Hi Stefan,
>
> thanks for your suggestion and the great work in general. But no luck :-(
>
>
> With TortoiseSVN-1.7.10.23359-x64-svn-1.7.7 using [global] http-library = serf I get the following error:
>
> Unable to connect to a repository at URL 'https:.....'
> Error running context: APR does not understand this error code
>
> Apache log reports the same as with the default neon library:
>
> [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f3714ad3940 [mem: 7f3714c7ecc3]
> [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate A
> [debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in SSLv3 read client certificate A
> [info] [client 188.99.183.144] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
> [info] [client 188.99.183.144] Connection closed to child 0 with abortive shutdown (server vtx.ath.cx:443)
>
>
>
> With TortoiseSVN-1.7.6.22632-x64-svn-1.7.4 using [global] http-library = serf it works.
> TortoiseSVN-1.7.6.22632-x64-svn-1.7.4 also works with the default neon.
>
> Do you need me to go testing through the other versions?
Searching the web for the error messages indicates that it's a problem
with the certificates and the trust chain:
http://fixunix.com/modssl/167053-problem-using-client-ssl-verify.html
http://www.dudek.org/blog/109 ("apache needs to understand you are
acting as your own certificate authority, and not depending on an
external one")
I couldn't find anything in the changelogs for Subversion that would
explain this. And apart from different svn versions, we only updated
OpenSSL during the recent releases.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
vario fox
Oct 28, 2012, 10:30:49 AM10/28/12
to us...@tortoisesvn.tigris.org
I am sorry, but i'll have to insist :-) I don't believe a misconfiguration / trust issue to be the problem.
It works in the following scenarios:
- many recent versions of Internet Explorer
- many recent versions of Firefox
- all versions of tortoise svn up to 1.7.6
- cygwin-based svn, Version 1.7.7 (r1393599)
All on at least 10 different computers, some with the same, some with other client certificates.
It does not work with versions of tortoise svn above 1.7.6 on two different machines using two different client certificates, neither in the GUI nor in the command line mode.
Is there anything I can do to assist you in debugging?
Vario
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3024029
It works in the following scenarios:
- many recent versions of Internet Explorer
- many recent versions of Firefox
- all versions of tortoise svn up to 1.7.6
- cygwin-based svn, Version 1.7.7 (r1393599)
All on at least 10 different computers, some with the same, some with other client certificates.
It does not work with versions of tortoise svn above 1.7.6 on two different machines using two different client certificates, neither in the GUI nor in the command line mode.
Is there anything I can do to assist you in debugging?
Vario
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3024029
Stefan Küng
Oct 29, 2012, 2:51:45 AM10/29/12
to us...@tortoisesvn.tigris.org
On 28.10.2012 15:30, vario fox wrote:
> I am sorry, but i'll have to insist :-) I don't believe a
> misconfiguration / trust issue to be the problem.
>
> It works in the following scenarios: - many recent versions of
> Internet Explorer - many recent versions of Firefox - all versions of
> tortoise svn up to 1.7.6 - cygwin-based svn, Version 1.7.7
> (r1393599) All on at least 10 different computers, some with the
> same, some with other client certificates.
>
> It does not work with versions of tortoise svn above 1.7.6 on two
> different machines using two different client certificates, neither
> in the GUI nor in the command line mode.
> I am sorry, but i'll have to insist :-) I don't believe a
> misconfiguration / trust issue to be the problem.
>
> It works in the following scenarios: - many recent versions of
> Internet Explorer - many recent versions of Firefox - all versions of
> tortoise svn up to 1.7.6 - cygwin-based svn, Version 1.7.7
> (r1393599) All on at least 10 different computers, some with the
> same, some with other client certificates.
>
> It does not work with versions of tortoise svn above 1.7.6 on two
> different machines using two different client certificates, neither
> in the GUI nor in the command line mode.
"SSL handshake failed: SSL error: unsupported algorithm nid"
That indicates that your server or a proxy in between uses an
unsupported algorithm.
TSVN always uses the latest OpenSSL version with the default build
options. And recent versions of OpenSSL made some changes, including:
* deactivating insecure algorithms (those that have been "broken" lately
or are considered not secure anymore)
* strengthen cert verification, e.g. certs in the chain that worked
before might not work anymore since they're not secure enough
That's all I can tell you.
I only compile OpenSSL and the svn lib, I don't know the code that does
the whole authentication.
Maybe you can get more help on the svn users list or an openssl list.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
kuang
Jul 9, 2013, 11:02:27 PM7/9/13
to us...@tortoisesvn.tigris.org
I've experienced the same problem, and it turned out it's because SVN does
not
work well with TLSv1.2, just disable TLSv1.2 on your server will solve the
problem.
--
View this message in context: http://tigris-scm.10930.n7.nabble.com/tsvn-1-7-7-and-later-client-certificates-unsupported-algorithm-nid-tp27217p94000.html
Sent from the tortoisesvn - users mailing list archive at Nabble.com.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3060128
not
work well with TLSv1.2, just disable TLSv1.2 on your server will solve the
problem.
--
View this message in context: http://tigris-scm.10930.n7.nabble.com/tsvn-1-7-7-and-later-client-certificates-unsupported-algorithm-nid-tp27217p94000.html
Sent from the tortoisesvn - users mailing list archive at Nabble.com.
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3060128
Grzegorz
Jul 10, 2013, 3:21:50 AM7/10/13
to us...@tortoisesvn.tigris.org
--- TortoiseSVN [10.07.2013 05:02]:
version of Apache doesn't support switching off of TLSv1.2. This is
possible in Apache 2.2.24+ if I recall correctly.
OpenSSL connects without any problems using TLSv1.2 however any SVN
(command line) including 1.8 fails. That indicates it is a SVN problem
or rather Serf/Neon + SVN.
Regards
--
Grzegorz
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3060140
> I've experienced the same problem, and it turned out it's because SVN
> does not work well with TLSv1.2, just disable TLSv1.2 on your server
> will solve the problem.
Thanks for reply. That's what I suspected but could not verify it as my
> does not work well with TLSv1.2, just disable TLSv1.2 on your server
> will solve the problem.
version of Apache doesn't support switching off of TLSv1.2. This is
possible in Apache 2.2.24+ if I recall correctly.
OpenSSL connects without any problems using TLSv1.2 however any SVN
(command line) including 1.8 fails. That indicates it is a SVN problem
or rather Serf/Neon + SVN.
Regards
--
Grzegorz
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3060140
Reply all
Reply to author
Forward
0 new messages