On Fri, 08 Feb 2008 16:42:03 -0800 "Daniel B. Thurman" <dant@xxxxxxxxx> wrote: > > To make a really long story short as possible, let's just say that I > have > been able to setup Apache, the Mod_Security, SSL and SubVersion and > I am able to access the subversion repository locally with the svn > commands and the web-browser, but not remotely. > > The SSL certificates are installed in the /etc/httpd/conf directory > and it > work via the browser and the svn commands in the shell. But doing this > remotely with a web-browser or the following svn command results in > the server certificate not being passed to the client at all. It > appears to show > some bogus certificate Issuer instead. as follows: > > + svn list https://svn.<domain>.com > > Error validating server certificate for > 'https://svn.<domain>.com:443': > - The certificate is not issued by a trusted authority. Use the > fingerprint to > validate the certificate manually! > - The certificate hostname does not match. > Certificate information: > - Hostname: <hostname>.<domain>.com > - Valid: from Sun, 09 Dec 2007 01:13:54 GMT until Mon, 08 Dec 2008 > 01:13:54 GMT > - Issuer: SomeOrganizationalUnit, SomeOrganization, SomeCity, > SomeState, -- > - Fingerprint: > 70:ab:9c:b3:97:a3:98:02:39:5e:59:b4:50:2c:07:bc:66:64:c4:c4 > (R)eject, accept (t)emporarily or accept (p)ermanently? t > svn: PROPFIND request failed on '/' > svn: PROPFIND of '/': 405 Method Not Allowed > (https://svn.<domain>.com) > > > Below is the mod_security audit log file showing the results: > ============================================================= > /var/log/httpd/modsec_audit.log: > Note: Client: 10.1.0.11. Server: 10.1.0.143 > ============================================================= > --5b7f8e6b-A-- > [08/Feb/2008:16:13:55 --0800] lRvlFwoBAI8AACDvh3wAAAAB 10.1.0.11 2006 > 10.1.0.143 443 > --5b7f8e6b-B-- > PROPFIND / HTTP/1.1 > Host: svn.<domain>.com > User-Agent: SVN/1.4.5 (r25188) neon/0.26.4 > Keep-Alive: > Connection: TE, Keep-Alive > TE: trailers > Content-Length: 300 > Content-Type: text/xml > Depth: 0 > Accept-Encoding: gzip, gzip > > --5b7f8e6b-C-- > <?xml version="1.0" encoding="utf-8"?> > <propfind xmlns="DAV:"> > <prop> > <version-controlled-configuration xmlns="DAV:"/><resourcetype > xmlns="DAV:"/> > <baseline-relative-path > xmlns="http://subversion.tigris.org/xmlns/dav/"/> > <repository-uuid xmlns="http://subversion.tigris.org/xmlns/dav/"/> > </prop> > </propfind> > --5b7f8e6b-F-- > HTTP/1.1 405 Method Not Allowed > Allow: GET,HEAD,POST,OPTIONS,TRACE > Content-Length: 315 > Connection: close > Content-Type: text/html; charset=iso-8859-1 > > --5b7f8e6b-H-- > Message: Access allowed (phase 2). Pattern match "^(PROPFIND| > PROPPATCH)$" at > REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] > Stopwatch: 1202516035101975 51173 (1957* 2642 -) > Producer: ModSecurity v2.1.3 (Apache 2.x) > Server: Apache/2.2.6 (Fedora) > > --5b7f8e6b-Z-- > ============================================================= > As far as I can see mod_security explicitly allowed the PROPFIND request per the modsec_audit.log entry above. Therefore I can't see this being a mod_security issue :-). I suspect that there's something in the subversion/mod_svn configuration setup you have that's not working as you expect it to. If you can post it perhaps myself and other list readers can debug it? Based on what you've given, these might be things to start looking at: - Is your certificate self-signed / private CA? You may wish to tweak mod_ssl.conf to point to extra CA certificates / directory paths - What values do you have for SVNPath / SVNParentPath? in your Apache config? Michael Fleming (mod_security RPM maintainer for Fedora and EPEL :-)) -- Michael Fleming <mfleming@xxxxxxxxxxxxxxxx> Be master of mind rather than mastered by mind.
