Description of problem: Using svn with an authentification with certificat (.p12) doesn't work. No error message, juste a new prompt for the path of the certificat file. Version-Release number of selected component (if applicable): 1.4.6-7 How reproducible: - Steps to Reproduce: 1. svn co https:.... (with an authentification with certificat) 2. 3. Actual results: The certificat file is asking 3 times then the authentification fail Expected results: Additional info: I have compilated my own version of subversion-1.4.6 with neon-0.25.5 and it's working perfectely
Can you add neon-debug-mask = 511 to the [global] section in ~/.subversion/servers, run svn co https://... 2>/tmp/debug then attach /tmp/debug to this bug report?
Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Can you supply the information requested above in comment 1? I've been unable to reproduce any problems here.
fyi, this maybe the same issue as: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480041
Is anyone who is affected by this bug willing to try some test packages?
I'm a Debian user, but I'm certainly willing to test patches. fyi, I've provided what I believe is a standalone reproducer here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503833
Ah, so there are two slightly different issues here. 1) GnuTLS failing to parse a PKCS#12 file as you indicate in comment 6. I reported that upstream to GnuTLS this week too: http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/3182 2) PKCS#12 certs which GnuTLS can parse, but which neon fails to interpret correctly. This will cause the SVN failure like "SSL negotiation failed: SSL alert received: Decrypt error". My neon patch should fix this case - though with some PKCS#12 certs it could still happen. Thanks a lot for posting that reference here anyway, all that diagnostic info was sitting in that bug report at Debian and nobody had bothered to ask upstream :(
Hi, How can I solve this in Fedora 10? Thanx
Dimitris: please try the packages from: http://koji.fedoraproject.org/koji/buildinfo?buildID=81378
Thank you, Now I have this: rpm -qa|grep neo neon-0.28.3-2.1.fc10.x86_64 But the problem is still there.
You're probably suffering from bug 478883, in that case.
Some colleague had the same problem in ubuntu and used this recipe to get over it: http://rickvanderzwet.blogspot.com/2008/12/ubuntu-810-subversion-ssl-libary.html I tried the same and I end up with SSL negotiation failed: SSL error: Key usage violation in certificate has been detected. I googled around a bit and gnutls-cli -d 4711 sslsvnhost 2>&1|grep 'Selected cipher' |<3>| HSK[2328dc0]: Selected cipher suite: DHE_RSA_AES_128_CBC_SHA1 certtool -i <sslsvnhostcertificate.pem |grep 'Key Usage' -A 2 Key Usage (critical): Digital signature. Key encipherment.
Hi, I am still affected by this problem. I have to use an older rhel4 based system to do my work and it is great annoyance. Any updates?
1) output from: neon-debug-mask = 511 to the [global] section in ~/.subversion/servers, run svn co https://... 2>/tmp/debug does not yield anyting: ah_create, for WWW-Authenticate Running pre_send hooks compress: Initialization. Sending request headers: OPTIONS /xxxx/xxx HTTP/1.1 Host: xxxx.bbc.co.uk User-Agent: SVN/1.5.4 (r33841) neon/0.28.3 Keep-Alive: Connection: TE, Keep-Alive TE: trailers DAV: http://subversion.tigris.org/xmlns/dav/svn/depth DAV: http://subversion.tigris.org/xmlns/dav/svn/mergeinfo DAV: http://subversion.tigris.org/xmlns/dav/svn/log-revprops Accept-Encoding: gzip Sending request-line and headers: Doing DNS lookup on xxxx.bc.co.uk... Connecting to 212.1.2.3 Negotiating SSL connection. Authentication realm: https://xxxx.xxx.bbc.co.uk:443 Client certificate filename: and an 'strace' confirms that the .p12 file is read. 2) the posting by http://rickvanderzwet.blogspot.com/2008/12/ubuntu-810-subversion-ssl-libary.html is spot on --- and "converting" with openssl pkcs12 -in old.p12 -out a.pem -keyout a.key -export certtool --load-certificate a.pem --load-privkey a.key --to-p12 --outder --outfile a.p12 does the trick. So GnuTLS is to blame :)
neon-0.28.4-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/neon-0.28.4-1.fc9
It's not GnuTLS per se, it's a bug in neon's support for GnuTLS which manifests if you have particular PKCS#12 files (notably ones which include a CA cert).
This message is a reminder that Fedora 9 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 9. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '9'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 9's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 9 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
neon-0.28.4-1.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing-newkey update neon'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2009-6092
The bug persists
Please move forward to fedora 10
Dirk - this update is pending for Fedora 10: https://admin.fedoraproject.org/updates/F10/FEDORA-2009-5675 Note that there are several different issues which can cause SVN failures with PKCS#12 client certs, and there is one outstanding issue with GnuTLS which I'm yet to track down. If the F10 update referenced here works for you please leave a comment on the update tracker link.
It works for me combined with converting to gnutls as mentioned at http://rickvanderzwet.blogspot.com/2008/12/ubuntu-810-subversion-ssl-libary.html BUT first removing the CA keys from temp.crt before runing certtool (http://www.mail-archive.com/help-gnutls@gnu.org/msg01261.html) to avoid key usage violate messages.
Fedora 9 changed to end-of-life (EOL) status on 2009-07-10. Fedora 9 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.