Hardy Backports

Subversion 1.5.1 does not work with SSL certificates

Bug #265065 reported by Carsten Schlipf on 2008-09-05

24

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Hardy Backports	Fix Released	Medium	Unassigned
	subversion	Invalid	Undecided	Unassigned

Bug Description

After upgrading to Subversion 1.5.1 on Hardy Heron, I was no longer able to connect to my SVN server, which requires client certificate authentification.

According to this comment (https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/241453/comments/5) the cause seems to be that it is linked against libneon-gnutls and not against the Open SSL version libneon.

This breaks Subversion support on Ubuntu for me :-(

Related branches

lp:ubuntu/hardy-backports/subversion

Revision history for this message

Tim Jones (tim-mr-dog) wrote on 2008-09-06:

#1

We're all stuck at our company too now until we can authenticate with our openssl certs. Me at home too.

Could there not be a choice of packages, one for libneon and one for libneon-gnutls?

Desperately awaiting a resolution to this, as we're just a little stuck!

Revision history for this message

Peter Wright (p-wright) wrote on 2008-09-08:

#2

The debian bug page describes 2 workarounds:

  1. If you have access to a Windows machine running IE, import your .p12 and export it as a PFX file (.pfx). One of my colleagues here has tried this and it worked (although not with a passwordless .pfx it seems)
  2. Swap the libraries:
        # cd /usr/lib/
        # mv libneon-gnutls.so.27 libneon-gnutls.so.27.old
        # mv libneon-gnutls.so.27.1.2 libneon-gnutls.so.27.1.2.old
        # ln -s libneon.so.27 libneon-gnutls.so.27

Revision history for this message

Carsten Schlipf (carsten-schlipf) wrote on 2008-09-08:

#3

Thank you, Peter.

I can confirm the second workaround you've posted.

Revision history for this message

Scott Kitterman (kitterman) wrote on 2008-09-13:

#4

Reading this:

http://www.drh-consultancy.demon.co.uk/pkcs12faq-old.html#PFX

I'm not convinced the .pfx solution is real.

Revision history for this message

Michael Casadevall (mcasadevall) wrote on 2008-09-13:

#5

subversion.debdiff Edit (1.6 KiB, text/plain)

I've attached a debdiff that will switch building SVN from gnutls to openssl again. As I can't test to see if it resolves the issue, I've uploaded the package to the backport testers PPA (https://edge.launchpad.net/~ubuntu-backports-testers/+archive)

Marking this as Triaged, pending testing.

Revision history for this message

Peter Wright (p-wright) wrote on 2008-09-29:

#6

Thanks Michael, the package you uploaded works;

I've found a solution that works with libneon27-gnutls. The problem appears to be that it does not correctly handle having the CA certificates in the .p12

To extract the PEMs from your current p12:
openssl pkcs12 -in CURRENT.p12 -nodes -nocerts > private.key.pem
openssl pkcs12 -in CURRENT.p12 -nodes -nokeys > public.key.pem

Then in public.key.pem I deleted all which weren't my certificate, then I repackaged it with:
openssl pkcs12 -export -inkey private.key.pem -in public.key.pem -out NEW.p12

Revision history for this message

Michael Casadevall (mcasadevall) wrote on 2008-09-30:

#7

Marked as In Progress since verification is complete. If there is a workaround for GnuTLS, it may be preferable not to make this change. Scott, your comments?

Changed in hardy-backports:
importance:	Undecided → Medium
status:	New → In Progress

Revision history for this message

Michael Casadevall (mcasadevall) wrote on 2008-09-30:

#8

Moving back to Triaged. I'm an idiot; forgot about the meaning of In Progress for Backports :-).

Changed in hardy-backports:
status:	In Progress → Triaged

Revision history for this message

Martin Pitt (pitti) wrote on 2008-10-06:

#9

1.5.1dfsg1-1ubuntu2~hardy2 accepted to hardy-backports.

Changed in hardy-backports:
status:	Triaged → Fix Released
Changed in subversion:
status:	New → Incomplete
status:	Incomplete → Invalid

Revision history for this message

Onno Steenbergen (osteenbergen) wrote on 2008-10-25:

#10

Bug is also in 8.10 the pem conversion does not work. So maybe this problems needs to be reopened

Revision history for this message

Scott Kitterman (kitterman) wrote on 2008-10-25: Re: [Bug 265065] Re: Subversion 1.5.1 does not work with SSL certificates

#11

Please file a new but for that.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

subversion.debdiff Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.