4

I'm trying to access my own SVN server with the Cornerstone SVN client. I get the following error message:

Description : Unable to contact the repository at “https:/foo@bar.mooo.info:443” because an SSL session could not be established. Suggestion : This Mac was unable to present a valid certificate or the server's certificate was rejected as invalid.
Technical Information

  Error : V4SSLHandshakeFailureError \ 
  Exception : ZSVNSSLHandshakeFailureException

Causal Information

Description : Unable to connect to a repository at URL 'https:/foo@bar.mooo.info/svn/robi' Status : 175002

Description : OPTIONS of 'https:/foo@bar.mooo.info/svn/robi': SSL handshake failed: SSL error code -1/1/336032856 (https:/bar.mooo.info) Status : 175002

I think I found the solution by googling and using the search function. Described on apache.org or on serverfault (SVN SSL negotiation failed).

This can happen when the hostname reported by the server does not the match hostname given in the SSL certificate. Make sure your server configuration uses correct values for ServerName and NameVirtualHost.

As embarrasing as it is, I can't implement it for two reasons.

A) I don't know where to edit the ServerName and NameVirtualHost (httpd.conf is not there in apache2 anymore)
B) I don't know which name I have to add there, the setup:
hostname: friedrich (in the internal network) DDNS name: bar.mooo.info (as entered in the SVN client)

OS: Debian GNU/Linux wheezy/sid (3.2.0-4-amd64)
Apache version: Server version: Apache/2.2.22 (Debian)

more /etc/apache2/sites-available/ssl.conf :

[...]

 <Location /svn>

      DAV svn

      SVNParentPath /srv/nas/hd0/svn

      # this line must be added if you want SSL enabled

      SSLRequireSSL

 </Location>

[...]

 SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem

 SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
rob
  • 163
  • 2
  • 8

1 Answers1

3

Try to debug with:

echo -e "GET / HTTP/1.0\n\n"|openssl s_client -connect bar.mooo.info:443

If it is working, display the certificate with:

echo ""|openssl s_client -connect bar.mooo.info:443|openssl x509 -text -noout

Check that the Subject: contains CN=bar.mooo.info Check that the dates are correct and that the client time is in sync. Check that the certificate is trusted by your client:

  • Verify that the root certificate used to sign the host certificate is in the trust keystore
  • Verify that root certificate is valid and not expired.
Mircea Vutcovici
  • 17,619
  • 4
  • 56
  • 83
  • Fancy commands :D --> CN=friedrich. So I guess this is the problem – rob Feb 11 '13 at 22:52
  • After a while, I know them by hart. :D And it was not my goal to remember them. – Mircea Vutcovici Feb 11 '13 at 22:56
  • So do I have to generate a new self signed certificate or change the apache config? (or both) – rob Feb 11 '13 at 23:21
  • Oke, added the FQDN (bar.mooo.info) as ServerName in /etc/apache2/sites-available/ssl.conf and it worked. Maybe you want to add it to your answer if anyone comes past this thread. – rob Feb 11 '13 at 23:29
  • This depends on your particular apache setup. Took out of context it is not that useful, having that you did not post your entire apache configuration (Listen, NameVirtualHost, VirtualHost directives are missing in your configs you posted) – Mircea Vutcovici Feb 12 '13 at 16:28