Setting up SSL in Apache for subversion

English Network/Internet
#1

Hi,

I am trying to set up https access to my svn repository and setting up ssl in my apache server gives me problems. The svn access through HTTP works fine.

I followed the instructions in the following link for ssl setup in apache.
Setting up SSL/TLS for Apache on SLES 10 | Novell User Communities

Though the setup itself is straightforward, I am getting the following error mesg when I try to access the https page –

SSL received a record that exceeded the maximum permissible length.
(Error code: ssl_error_rx_record_too_long)

I installed everything from yast.
The DocumentRoot is “/srv/www/htdocs”

And the SVN repos are in /srv/repos/project1 like in the suse readme for svn. (this is not a virtual host). In the subversion.conf file the following are defined –

Alias /repos “/srv/svn/html”
<Directory /srv/svn/html>
<Location /repos/project1>

I did not paste the complete subversion.conf file because the basic setup is working without ssl enabled in apache and also because its exactly identical to the subversion readme in open suse 11.

The virtual host for ssl is where I think the problem is here is the ssl conf file. Please see if anyone can find an error here.

<IfDefine SSL>
<IfDefine !NOSSL>

SSL Virtual Host Context

<VirtualHost www.A.com:443>

#  General setup for the virtual host
DocumentRoot "/srv/www/htdocs"
ServerName www.A.com:443
ServerAdmin local@localhost
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log

SSLEngine on
# Only allow "high" and "medium" security key lengths.
SSLCipherSuite HIGH:MEDIUM

# Force SSLv3 and TLSv1 Only!
SSLProtocol all -SSLv2

SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
SSLCertificateChainFile /etc/apache2/ssl.crt/newca.crt
SSLCACertificateFile /etc/apache2/ssl.crt/newca.crt

&lt;Directory "/repos/project1"&gt;
    SSLOptions +StdEnvVars
&lt;/Directory&gt;

CustomLog /var/log/apache2/ssl_request_log   ssl_combined

</VirtualHost>

</IfDefine>
</IfDefine>

Any help is appreciated.

Thanks,
-Vas

#2

Hi,

How did you start Apache? Are you using the ssl option in the command:

rcapache2 startssl

This is my SSL section if that helps:


SSLEngine On
SSLVerifyClient none
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:!eNULL
SSLCACertificateFile /etc/apache2/ssl/cacert.pem
SSLCertificateFile /etc/apache2/ssl/cacert.crt
SSLCertificateKeyFile /etc/apache2/ssl/private.key
SSLCertificateChainFile /etc/apache2/ssl/ca.ca-bundle

SSLOptions +StrictRequire +StdEnvVars

Check the SSL module is loaded with the command: httpd2 -M

You should see something like:

httpd2 -M
Loaded Modules:
core_module (static)
mpm_prefork_module (static)
http_module (static)
so_module (static)
actions_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_file_module (shared)
authz_host_module (shared)
authz_groupfile_module (shared)
authz_default_module (shared)
authz_user_module (shared)
authn_dbm_module (shared)
autoindex_module (shared)
cgi_module (shared)
dir_module (shared)
env_module (shared)
expires_module (shared)
include_module (shared)
log_config_module (shared)
mime_module (shared)
negotiation_module (shared)
setenvif_module (shared)
ssl_module (shared)
suexec_module (shared)
userdir_module (shared)
php5_module (shared)
rewrite_module (shared)
Syntax OK

Also check your listen.conf. Make sure it’s listening on port 443.

Can you post your Apache logs also…

/jlar

#3

Hi,

Thanks for the reply. I am starting apache by doung this -

apachectl start

I do not get any error in the logs. So it looks like its a configuration problem.

I have checked that the ssl module is loaded. In yast you can go into /etc/sysconfig.d editor that you can use to see the modules loaded. Also https2 -M gives me this –
Loaded Modules:
core_module (static)
mpm_prefork_module (static)
http_module (static)
so_module (static)
authz_host_module (shared)
actions_module (shared)
alias_module (shared)
auth_basic_module (shared)
authz_groupfile_module (shared)
authn_file_module (shared)
authz_user_module (shared)
autoindex_module (shared)
cgi_module (shared)
dir_module (shared)
include_module (shared)
log_config_module (shared)
mime_module (shared)
negotiation_module (shared)
setenvif_module (shared)
status_module (shared)
userdir_module (shared)
asis_module (shared)
imagemap_module (shared)
ssl_module (shared)
php5_module (shared)
authz_default_module (shared)
dav_module (shared)
dav_svn_module (shared)
Syntax OK

-Vas

#4

Hi,

I had just a short look at the howto and I think there is something missing: even start apache with -DSSL option by using rcapache startssl (as already described) or edit /etc/sysconfig/apache2 and add there to APACHE_SERVER_FLAGS SSL.

Hope this helps

#5

Hi,

Is the digital cert one that you made yourself or is it from a certificate authority like Thawte/Comodo/Verisign?

/jlar

#6

Hi,

I have finally solved it. It turns out the apache module in yast on suse is severely flawed. I did it multiple times and it never worked for me. I downloaded the apache source code and installed it and everything works cleanly. Suse, in an attempt to simplify apache configuration, messed something up. At least if its GUI based, I expect to just work and everything including ssl key generation to be done with button clicks. Well, we are still far from that ideal situation.

At least I know that I have not forgotten configuring apache.

-Vas