[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#593334: apache2: Upgrade to Squeeze broke Apache+TRAC+SSL setup

Subject: apache2: Upgrade to Squeeze broke Apache+TRAC+SSL setup
Package: apache2.2-common
Version: 2.2.16-1
Severity: important

yesterday i was trying to upgrade our server to squeeze in wich wer
have an SSL+TRAC+APACHE2 service and i noticed that with the upgrade
the service was unavaliable.
There are other services running under apache as well in the same
server and they are unaffected.
Here's our configuration:

## sites-enabled/trac

<VirtualHost server.com:8000>

	DocumentRoot /mnt/proyectos/trac

	<Location />
		Options -Indexes -MultiViews

	<Location /trac>
	    SetHandler mod_python
	    PythonHandler trac.web.modpython_frontend
	    PythonOption TracEnvParentDir /mnt/proyectos/trac
	    PythonOption TracUriRoot /trac
	    SSLVerifyClient require
	    SSLVerifyDepth  3
	    SSLRequire (%{SSL_CLIENT_S_DN_O} eq "Company" and
#	    SSLOptions +OptRenegotiate

	<LocationMatch "/login">
	    AuthType Basic
	    AuthName "Trac"
	    AuthUserFile /etc/apache2/dav_svn.passwd
	    Require valid-user

	SSLEngine on
	SSLCertificateFile    /etc/apache2/keys/server-cert.pem
	SSLCertificateKeyFile /etc/apache2/keys/server-key.pem
	SSLCACertificateFile  /etc/apache2/keys/ou.pem
	LogLevel debug
        CustomLog /var/log/apache2/svn_access.log combined
        ErrorLog /var/log/apache2/svn_error.log

<Location /svn>

  DAV svn
  SVNParentPath /mnt/proyectos/subversion

  AuthType Basic
  AuthName "Company Subversion Repository"
  AuthUserFile /etc/apache2/dav_svn.passwd

  AuthzSVNAccessFile /etc/apache2/svnpolicy
  Require valid-user
  SSLVerifyClient none



What i get on the log when someone tries to go to server.com/trac with
Firefox (our main browser) is:

bucnh of ssl-debug...
[Tue Aug 17 11:47:37 2010] [debug] ssl_engine_io.c(1860):
[Tue Aug 17 11:47:37 2010] [debug] ssl_engine_kernel.c(1884): OpenSSL:
Write: SSLv3 read client key exchange A
[Tue Aug 17 11:47:37 2010] [debug] ssl_engine_kernel.c(1903): OpenSSL:
Exit: error in SSLv3 read client key exchange A
[Tue Aug 17 11:47:37 2010] [error] [client]
Re-negotiation handshake failed: Not accepted by client!?
[Tue Aug 17 11:47:37 2010] [debug] mod_deflate.c(615): [client] Zlib: Compressed 0 to 2 : URL /trac/

As I said there are other certificate based(svn,file-browsing)
services working fine.
Another thing that strikes me is that I tried with Opera browser and
they work just fine...

Excuse me if apache2 is not the right package to be submitted, and for
my bad english.

-- Package-specific info:
List of enabled modules from 'apache2 -M':
  alias auth_basic authn_file authz_default authz_groupfile
  authz_host authz_svn authz_user autoindex cache cgid dav dav_svn
  deflate dir disk_cache env include mime negotiation python
  reqtimeout setenvif ssl status

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8
(charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to POSIX)
Shell: /bin/sh linked to /bin/dash

Versions of packages apache2 depends on:
ii  apache2-mpm-worker            2.2.16-1   Apache HTTP Server - high speed th
ii  apache2.2-common              2.2.16-1   Apache HTTP Server common files

apache2 recommends no packages.

apache2 suggests no packages.

Versions of packages apache2.2-common depends on:
ii  apache2-utils                 2.2.16-1   utility programs for webservers
ii  apache2.2-bin                 2.2.16-1   Apache HTTP Server common binary f
ii  libmagic1                     5.04-5     File type determination library us
ii  lsb-base                      3.2-23.1   Linux Standard Base 3.2 init scrip
ii  mime-support                  3.48-1     MIME files 'mime.types' & 'mailcap
ii  perl                          5.10.1-14  Larry Wall's Practical Extraction
ii  procps                        1:3.2.8-9  /proc file system utilities

-- no debconf information

Reply to: