On Fri, 08 Feb 2008 16:42:03 -0800 "Daniel B. Thurman" dant@cdkkt.com wrote:
To make a really long story short as possible, let's just say that I have been able to setup Apache, the Mod_Security, SSL and SubVersion and I am able to access the subversion repository locally with the svn commands and the web-browser, but not remotely.
The SSL certificates are installed in the /etc/httpd/conf directory and it work via the browser and the svn commands in the shell. But doing this remotely with a web-browser or the following svn command results in the server certificate not being passed to the client at all. It appears to show some bogus certificate Issuer instead. as follows:
- svn list https://svn.<domain>.com
Error validating server certificate for 'https://svn.<domain>.com:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
- The certificate hostname does not match.
Certificate information:
- Hostname: <hostname>.<domain>.com
- Valid: from Sun, 09 Dec 2007 01:13:54 GMT until Mon, 08 Dec 2008
01:13:54 GMT
- Issuer: SomeOrganizationalUnit, SomeOrganization, SomeCity,
SomeState, --
- Fingerprint:
70:ab:9c:b3:97:a3:98:02:39:5e:59:b4:50:2c:07:bc:66:64:c4:c4 (R)eject, accept (t)emporarily or accept (p)ermanently? t svn: PROPFIND request failed on '/' svn: PROPFIND of '/': 405 Method Not Allowed (https://svn.<domain>.com)
Below is the mod_security audit log file showing the results:
/var/log/httpd/modsec_audit.log: Note: Client: 10.1.0.11. Server: 10.1.0.143 ============================================================= --5b7f8e6b-A-- [08/Feb/2008:16:13:55 --0800] lRvlFwoBAI8AACDvh3wAAAAB 10.1.0.11 2006 10.1.0.143 443 --5b7f8e6b-B-- PROPFIND / HTTP/1.1 Host: svn.<domain>.com User-Agent: SVN/1.4.5 (r25188) neon/0.26.4 Keep-Alive: Connection: TE, Keep-Alive TE: trailers Content-Length: 300 Content-Type: text/xml Depth: 0 Accept-Encoding: gzip, gzip
--5b7f8e6b-C--
<?xml version="1.0" encoding="utf-8"?>
<propfind xmlns="DAV:"> <prop> <version-controlled-configuration xmlns="DAV:"/><resourcetype xmlns="DAV:"/> <baseline-relative-path xmlns="http://subversion.tigris.org/xmlns/dav/"/> <repository-uuid xmlns="http://subversion.tigris.org/xmlns/dav/"/> </prop> </propfind> --5b7f8e6b-F-- HTTP/1.1 405 Method Not Allowed Allow: GET,HEAD,POST,OPTIONS,TRACE Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1
--5b7f8e6b-H-- Message: Access allowed (phase 2). Pattern match "^(PROPFIND| PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Stopwatch: 1202516035101975 51173 (1957* 2642 -) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora)
--5b7f8e6b-Z--
As far as I can see mod_security explicitly allowed the PROPFIND request per the modsec_audit.log entry above. Therefore I can't see this being a mod_security issue :-).
I suspect that there's something in the subversion/mod_svn configuration setup you have that's not working as you expect it to. If you can post it perhaps myself and other list readers can debug it?
Based on what you've given, these might be things to start looking at:
- Is your certificate self-signed / private CA? You may wish to tweak mod_ssl.conf to point to extra CA certificates / directory paths - What values do you have for SVNPath / SVNParentPath? in your Apache config?
Michael Fleming (mod_security RPM maintainer for Fedora and EPEL :-))