Issue #339 new

win32+apache+svn+mod_auth_sspi+ssl (server) combined with win32+tortoisehg+hgsubversion = fail

enkaskal
created an issue

i have a subversion server that i accessed via https with the following specs: * win32 server (2003 R2-patched) * apache (2.2.22+openssl 0.9.8t) * mod_auth_sspi (1.0.4-2.2.2) * svn (1.7.4) * svn repository version 1.6/1.7 (since 1.7 is the same as 1.6)

with my own top level domain/SSL root CA (self signed and created using the typical openssl CA) and a subdomain/intermediate CA. (signed by the root CA and also generated using openssl) also, the webserver which hosts my source code via SVN has a valid/signed certificate via the intermediate CA, and therefore follows the SSL chain.

further, my clients are connecting without issue via web browsers (both IE and firefox including through Trac, Hudson, and Jenkins) and also via TortoiseSVN (mainly 1.7.5) using an ssl-authority-files = rootCA.crt;intermediateCA.crt in their servers config file.

however, when i attempt to use TortoiseHG (2.3.1) with hgsubversion I am having issues. (clients are winxp-x86-sp3 and win7-sp1-x64; although i will describe my troubleshooting from the xp perspective)

first, i have found that by simply appending my rootCA crt to the C:\Program Files\TortoiseHg\hgrc.d\cacert.pem file i receive the following error when attempting to clone (via an https://url): {{{ SSL: Server certificate verify failed }}}

then attempting to further append the intermediateCA certificate to the same file; i receive the error message [[Image(openssl-uplink--no-openssl-applink.png)]]

N.B. according to http://www.openssl.org/support/faq.html#PROG2 this is due to the way in which openssl is being utilized or compiled/linked.

if i then try to add to the global client config file, (via right-click > TortoiseHG > Global Settings > Edit File) the SHA-1 hostfingerprint for the rootCA certificate, i receive the same openssl-applink error msg.

if i then try to append to the global client config file the SHA-1 hostfingerprint for the intermediateCA certificate, i receive teh same openssl-applink error msg.

further, if i attempt to append to the global client config file the webserver fingerprint, (thus completing the SSL signing chain) i receive the same openssl-applink error msg.

moreover, if i attempt to bypass ssl and use regular http i am successfully prompted for my credentials; however hg (via subversion?) doesn't seem to be able to correctly authenticate; it just continually prompts for credentials. (N.B. this is with SSPIDomain set, SSPIOmitDomain configured, and attempting both with and without DOMAIN\user for the username)

finally, if i remove the require valid-user constraint [thus removing all security] in the apache config i have no issues cloning the repo via TortoiseHG

i believe this to be an issue with hgsubversion; although i admit it may be an issue in mercurial/tortoisehg proper/upstream. however i thought it prudent to start here.

while i am unable to provide public repositories for troubleshooting i would be willing to assist in almost any way on my windows domain and probably even provide CiscoVPN client access to a developer or two.

Comments (1)

  1. Log in to comment