Hosting Provided By

Re: [F8] Apache Mod_Security and SubVersion

From: Daniel B. Thurman <dant(at)cdkkt.com>
Date: Wed Feb 13 2008 - 10:11:18 EST

On Sat, 2008-02-09 at 01:13 -0800, Michael Fleming wrote:

	On Fri, 08 Feb 2008 16:42:03 -0800 
	"Daniel B. Thurman"  wrote:
	

	> 
	> To make a really long story short as possible, let's just say that I 
	> have been able to setup Apache, the Mod_Security, SSL and SubVersion
	> and I am able to access the subversion repository locally with the svn 
	> commands and the web-browser, but not remotely. 
	> 
	> The SSL certificates are installed in the /etc/httpd/conf directory 
	> and it work via the browser and the svn commands in the shell.
	> But doing this remotely with a web-browser or the following svn
	> command results in the server certificate not being passed to the
	> client at all. It appears to show some bogus certificate Issuer
	> nstead. as follows: 
	> 
	> + svn list <https://svn>.cdkkt.com 
	> 
	> Error validating server certificate for 
	> '<https://svn>.cdkkt.com:443': 
	> - The certificate is not issued by a trusted authority. Use the 
	> fingerprint to validate the certificate manually! 
	> - The certificate hostname does not match. 
	> Certificate information: 
	> - Hostname: <hostname>.cdkkt.com 
	> - Valid: from Sun, 09 Dec 2007 01:13:54 GMT until Mon, 08 Dec 2008 
	> 01:13:54 GMT 
	> - Issuer: SomeOrganizationalUnit, SomeOrganization, SomeCity, 
	> SomeState, -- 
	> - Fingerprint: 
	> 70:ab:9c:b3:97:a3:98:02:39:5e:59:b4:50:2c:07:bc:66:64:c4:c4 
	> (R)eject, accept (t)emporarily or accept (p)ermanently? t 
	> svn: PROPFIND request failed on '/' 
	> svn: PROPFIND of '/': 405 Method Not Allowed 
	> (<https://svn>.cdkkt.com) 
	> 
	> 
	> Below is the mod_security audit log file showing the results: 
	> ============================================================= 
	> /var/log/httpd/modsec_audit.log: 
	> Note: Client: 10.1.0.11. Server: 10.1.0.143 
	> ============================================================= 
	> --5b7f8e6b-A-- 
	> [08/Feb/2008:16:13:55 --0800] lRvlFwoBAI8AACDvh3wAAAAB 10.1.0.11 2006 
	> 10.1.0.143 443 
	> --5b7f8e6b-B-- 
	> PROPFIND / HTTP/1.1 
	> Host: svn.cdkkt.com 
	> User-Agent: SVN/1.4.5 (r25188) neon/0.26.4 
	> Keep-Alive: 
	> Connection: TE, Keep-Alive 
	> TE: trailers 
	> Content-Length: 300 
	> Content-Type: text/xml 
	> Depth: 0 
	> Accept-Encoding: gzip, gzip 
	> 
	> --5b7f8e6b-C-- 
	> <?xml version="1.0" encoding="utf-8"?> 
	> <propfind xmlns="DAV:"> 
	> <prop> 
	> <version-controlled-configuration xmlns="DAV:"/><resourcetype 
	> xmlns="DAV:"/> 
	> <baseline-relative-path 
	> xmlns="<http://subversion.tigris.org/xmlns/dav/>"/> 
	> <repository-uuid xmlns="<http://subversion.tigris.org/xmlns/dav/>"/> 
	> </prop> 
	> </propfind> 
	> --5b7f8e6b-F-- 
	> HTTP/1.1 405 Method Not Allowed 
	> Allow: GET,HEAD,POST,OPTIONS,TRACE 
	> Content-Length: 315 
	> Connection: close 
	> Content-Type: text/html; charset=iso-8859-1 
	> 
	> --5b7f8e6b-H-- 
	> Message: Access allowed (phase 2). Pattern match "^(PROPFIND| 
	> PROPPATCH)$" at 
	> REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] 
	> Stopwatch: 1202516035101975 51173 (1957* 2642 -) 
	> Producer: ModSecurity v2.1.3 (Apache 2.x) 
	> Server: Apache/2.2.6 (Fedora) 
	> 
	> --5b7f8e6b-Z-- 
	> ============================================================= 
	> 

	
	As far as I can see mod_security explicitly allowed the PROPFIND 
	request per the modsec_audit.log entry above. Therefore I can't see this 
	being a mod_security issue :-).

Yes, I suspected that because I did turn off SecFilterEngine and saw the same results. So it's "something else".

	I suspect that there's something in the subversion/mod_svn 
	configuration setup you have that's not working as you expect it to. If 
	you can post it perhaps myself and other list readers can debug it?
	
	Based on what you've given, these might be things to start looking at:
	
	- Is your certificate self-signed / private CA? You may wish to tweak 
	mod_ssl.conf to point to extra CA certificates / directory paths 
	- What values do you have for SVNPath / SVNParentPath? in your Apache 
	config?

My certificate is self-signed. Seems to work locally but not remotely.
I cannot find a mod_ssl.conf in my /etc/httpd directories anywhere. Can you tell me where I can find it and what you might put into it?
The partital setup info is given below, but most is modeled with that of the reference I give below:

I am following, almost to the letter: "Fedora 8 SVN + Trac + SSL Howto" <http://fedora-on-dell-laptop.rationalplanet.com/index.php/topic,27.0.html>

NOTE: This is the ONLY reference where it *seems* that the mod_security for svn is setup correctly as it the the only one I could get to work with svn sans the other problems I am faced with. Some drawback to this article was there was no explanation as how to setup your DNS so that your svn/trac virtual servers can be reached "outside" localhost. But let's take this one step at a time, and when we get the details resolved, we can write this all up for others to use, given a couple of scenarios.

I have actually tried the simple way - by using only the /etc/httpd/conf.d/ subversion.conf - but my problem is/was I could not get the mod_security to work for several reasons:

Some sites call for: SecFilterSelective instead of SecRule. Seems on F8, SecFilterSelective is not recognized, but SetRule is. Maybe this is due to Apache version on F8.
Some sites only say at the end of each string: "allow"

The following has a LOT more than just "allow" and seem to work, only I cannot decipher it, especially the part with "id;1,t,none"

/etc/httpd/modsecurity.d/modsecurity_crs_10_svn_ignores.conf

#==============================================================
SecRule REQUEST_METHOD "^(PROPFIND|PROPPATCH)$" "allow,id:1,t:none,msg:'SVN request, allow it.'"
SecRule REQUEST_METHOD "^(REPORT|OPTIONS)$" "allow,id:1,t:none,msg:'SVN request, allow it.'"
SecRule REQUEST_METHOD "^(MKACTIVITY|CHECKOUT)$" "allow,id:1,t:none,msg:'SVN request, allow it.'"

SecRule REQUEST_METHOD "^(PUT|DELETE|MERGE)$" "allow,id:1,t:none,msg:'SVN request, allow it.'" SecRule REQUEST_METHOD "^(MKCOL)$" "allow,id:1,t:none,msg:'SVN request, allow it.'"

#==============================================================

There is a SSL link within the reference given above allows one to setup a self-signed CA but there was nothing in it that describes how to allow the svn.cdkkt.com to be "exported" so that remote clients can obtain the CA and there are other problems as I identified above.

Do you need help?

Unlike the link mentioned above, I consolidated the /etc/httpd/conf.d/localdev.conf file into subversion.conf so that I can try out the two different methods in the same file. The first method is what is generally given from other sites and the second method is the virtual host method given in the above mentioned link.

You can simply comment out either of the two methods given to see the results.

/etc/httpd/conf.d/subversion.conf:

#==============================================================

LoadModule dav_svn_module modules/mod_dav_svn.so LoadModule authz_svn_module modules/mod_authz_svn.so

#================================================================
# Example configuration to enable HTTP access for a directory
# containing Subversion repositories, "/var/www/svn". Each repository
# must be readable and writable by the 'apache' user. Note that if
# SELinux is enabled, the repositories must be labelled with a context
# which httpd can write to; this will happen by default for
# directories created in /var/www. Use "restorecon -R /var/www/svn"
# to label the repositories if upgrading from a previous release.
#
# To create a new repository "
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related redhat.com Links
fedora-list
pump-list
redhat-announce-list
redhat-devel-list
redhat-install-list
redhat-list
redhat-watch-list
Request more information about Pantek
http://localhost/repos/stuff" using
# this configuration, run as root:
#
# # cd /var/www/svn
# # svnadmin create stuff

# # chown -R apache.apache stuff

#================================================================

#===================vvvvvvvvvvvvvvvvvvvvvvv====================
# Simple Implementation
#==============================================================

# METHOD #1:
#===========
<Location /svn>
DAV svn
SVNPath /var/www/vhosts/svn/svn.cdkkt.com/ AuthType Basic
AuthName "linux.cdkkt.com"
AuthUserFile /var/www/vhosts/svn/svn.cdkkt.com/conf/passwd AuthzSVNAccessFile /var/www/vhosts/svn/svn.cdkkt.com/conf/authz Require valid-user
</Location>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/server.crt SSLCertificateKeyFile /etc/pki/tls/private/server.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown CustomLog /var/log/httpd/svn.cdkkt.com/access.log combined ErrorLog /var/log/httpd/svn.cdkkt.com/error.log <Directory "/var/www/vhosts/svn/svn.cdkkt.com"> Order allow,deny
Allow from 127.0.0 10.0.0


#===================^^^^^^^^^^^^^^^^^^^^^^^====================

#===================vvvvvvvvvvvvvvvvvvvvvvv====================
# Virtual Subversion and Trac
#==============================================================
# METHOD #2:
#===========
# 1) Add to /etc/host:
# 127.0.0.2 svn..
# 127.0.0.3 trac..
# 2) Add Apache SSL support
# See: /etc/httpd/conf/ssl.conf
# Update SSLCertificateFile and SSLCertificateKeyFile
# with Real CA or Self-Signed CA. Need server.crt and
# server.key, no-pass-phrase,
#==============================================================
#
# ServerName svn.cdkkt.com
# Redirect / <
https://svn.cdkkt.com/>
#
#
#
# ServerName trac.cdkkt.com
# Redirect / <
https://trac.cdkkt.com/>
#
#
#
# DocumentRoot "/var/www/vhosts/svn/svn.cdkkt.com"
# ServerName svn.cdkkt.com
# 
# DAV svn
# SVNPath /var/www/vhosts/svn/svn.cdkkt.com
# AuthType Basic
# AuthName "svn.cdkkt.com"
# AuthUserFile /var/www/vhosts/svn/svn.cdkkt.com/conf/passwd
# AuthzSVNAccessFile /var/www/vhosts/svn/svn.cdkkt.com/conf/authz
# Require valid-user
# 
# SSLEngine on
# SSLCertificateFile /etc/pki/tls/certs/server.crt
# SSLCertificateKeyFile /etc/pki/tls/private/server.key
# SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
# CustomLog /var/log/httpd/svn.cdkkt.com/access.log combined
# ErrorLog /var/log/httpd/svn.cdkkt.com/error.log
Can we help you? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related redhat.com Links
fedora-list
pump-list
redhat-announce-list
redhat-devel-list
redhat-install-list
redhat-list
redhat-watch-list
Request more information about Pantek
# 
# Order allow,deny
# Allow from 127.0.0 10.0.0
# 
#
#
#
# ServerName trac.cdkkt.com
# DocumentRoot "/var/www/vhosts/trac/trac.cdkkt.com"
# Alias /trac/ /usr/share/trac/htdocs
# 
# Options Indexes MultiViews
# AllowOverride None
# Order allow,deny
# Allow from all
# 
# 
# SetHandler mod_python
# SetEnv PYTHON_EGG_CACHE "/tmp/eggs"
# PythonHandler trac.web.modpython_frontend
# PythonInterpreter main_interpreter
# PythonOption TracEnv "/var/www/vhosts/trac/trac.cdkkt.com/"
# PythonOption TracUriRoot /
# AuthType Basic
# AuthName "trac.cdkkt.com"
# AuthUserFile /var/www/vhosts/svn/svn.cdkkt.com/conf/passwd
# Require valid-user
# 
# SSLEngine on
# SSLCertificateFile /etc/pki/tls/certs/server.crt
# SSLCertificateKeyFile /etc/pki/tls/private/server.key
# CustomLog /var/log/httpd/trac.cdkkt.com/access.log combined
# ErrorLog /var/log/httpd/trac.cdkkt.com/error.log
# 
# Order allow,deny
# Allow from 127.0.0 10.0.0
# 
#
#===================^^^^^^^^^^^^^^^^^^^^^^^====================

Now, anytime that you choose one method for another, you have to restart the httpd daemon, but I noticed the following log when restarting httpd:

/var/log/httpd/error_log:

#==============================================================
[Tue Feb 12 14:06:56 2008] [notice] caught SIGTERM, shutting down
[Tue Feb 12 14:06:57 2008] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Tue Feb 12 14:06:57 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Feb 12 14:06:58 2008] [notice] ModSecurity for Apache 2.1.3 configured - Apache/2.2.6 (Fedora)
[Tue Feb 12 14:06:59 2008] [notice] Digest: generating secret for digest authentication ...
Can't find what you're looking for? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related redhat.com Links
fedora-list
pump-list
redhat-announce-list
redhat-devel-list
redhat-install-list
redhat-list
redhat-watch-list
Request more information about Pantek
[Tue Feb 12 14:06:59 2008] [notice] Digest: done
[Tue Feb 12 14:07:00 2008] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.

[Tue Feb 12 14:07:00 2008] [notice] mod_python: using mutex_directory /tmp [Tue Feb 12 14:07:00 2008] [notice] Apache/2.2.6 (Unix) DAV/2 mod_auth_kerb/5.3 mod_auth_pgsql/2.0.3 mod_ssl/2.2.6 OpenSSL/0.9.8b Apache/2.2.0 (Fedora) PHP/5.2.4 mod_python/3.3.1 Python/2.5.1 SVN/1.4.4 mod_perl/2.0.3 Perl/v5.8.8 configured -- resuming normal operations

#==============================================================

Other than the bolded line, everything else seems ok.

#==============================================================

Using METHOD #2:

#==============================================================

1) Using FireFox, URL: htto://svn.cdkkt.com:

The certificate warning pops up, saying that svn.cdkkt.com is not the same as linux.cdkkt.com but the signature is fine - I accepted this for now. Once accepted,

The Authorization request pops up, username and password is entered and then the page comes up and says:

Revision 1: /

*	branches/ <
https://svn.cdkkt.com/branches/> 
*	tags/ <
https://svn.cdkkt.com/tags/> 
*	trunk/ <
https://svn.cdkkt.com/trunk/>

Don't know where to look next?

At this point I can navigate 'trunk' all the way through to the last file.

2) Trac works as well.

3) Opening up a local Terminal window, I can type: + svn list <https://svn.cdkkt.com>
Error validating server certificate for '<https://svn.cdkkt.com:443>': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! - The certificate hostname does not match. Certificate information:

- Hostname: linux.cdkkt.com
- Valid: from Wed, 06 Feb 2008 23:24:26 GMT until Sat, 03 Feb 2018 23:24:26 GMT
- Issuer: IT Department, DBT And Associates, Beaverton, Oregon, US
- Fingerprint: 17:ec:2d:2d:04:1d:ff:fa:4c:fe:6a:29:36:ac:58:e2:57:6b:5f:58

(R)eject, accept (t)emporarily or accept (p)ermanently? t [POPUP ASKS FOR AUTHORIATION: username and password correctly entered] branches/
tags/
trunk/

/var/log/httpd/svn.cdkkt.com/error_log

[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/"] [unique_id "Tii@8goBAI8AABKZZhEAAAAG "]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/vcc/default"] [unique_id "Tikh0AoBAI8AABKYZC8AAAAF"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/bln/1"] [unique_id "Til0MgoBAI8AABKaZ64AAAAH"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/"] [unique_id "TinGCwoBAI8AABKTWiEAAAAA"]
Confused? Frustrated? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related redhat.com Links
fedora-list
pump-list
redhat-announce-list
redhat-devel-list
redhat-install-list
redhat-list
redhat-watch-list
Request more information about Pantek
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/vcc/default"] [unique_id "TioXIwoBAI8AABKVXikAAAAC"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/bln/1"] [unique_id "TipcPgoBAI8AABKUXDkAAAAB"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/"] [unique_id "TiqlNwoBAI8AABKWYCEAAAAD"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/vcc/default"] [unique_id "Tir2RQoBAI8AABKXYhYAAAAE"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/bln/1"] [unique_id "Tis8ugoBAI8AABKZZhIAAAAG"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/"] [unique_id "TiuGIAoBAI8AABKYZDAAAAAF"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/vcc/default"] [unique_id "TivV6goBAI8AABKaZ68AAAAH"]
Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related redhat.com Links
fedora-list
pump-list
redhat-announce-list
redhat-devel-list
redhat-install-list
redhat-list
redhat-watch-list
Request more information about Pantek
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/bc/1"] [unique_id "TiwerAoBAI8AABKTWiIAAAAA"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/"] [unique_id "TizPvAoBAI8AABKVXioAAAAC"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/vcc/default"] [unique_id "Ti0gaAoBAI8AABKUXDoAAAAB"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/bc/1"] [unique_id "Ti1omwoBAI8AABKWYCIAAAAD"]
[Tue Feb 12 14:09:07 2008] [error] [client 127.0.0.2] ModSecurity: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] [hostname "svn.cdkkt.com"] [uri "/!svn/bc/1"] [unique_id "Ti2zlAoBAI8AABKXYhcAAAAE"]

However, notice that there is an '[error]' statement above and I cannot understand what this means.

4) Opening a terminal window on another system, then issuing: + svn list <https://svn.cdkkt.com>
Error validating server certificate for '<https://svn.cdkkt.com:443>': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! - The certificate hostname does not match. Certificate information:

- Hostname: linux.cdkkt.com
- Valid: from Wed, 06 Feb 2008 23:24:26 GMT until Sat, 03 Feb 2018 23:24:26 GMT
- Issuer: IT Department, DBT And Associates, Beaverton, Oregon, US
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related redhat.com Links
fedora-list
pump-list
redhat-announce-list
redhat-devel-list
redhat-install-list
redhat-list
redhat-watch-list
Request more information about Pantek
- Fingerprint: 17:ec:2d:2d:04:1d:ff:fa:4c:fe:6a:29:36:ac:58:e2:57:6b:5f:58

(R)eject, accept (t)emporarily or accept (p)ermanently? t svn: PROPFIND request failed on '/'
svn: PROPFIND of '/': 405 Method Not Allowed (<https://svn>.cdkkt.com)

But the interesting thing here is, there is no log entry in /var/log/httpd/svn.cdkkt.com/error_log file.

Do you need more help?

I tried the svn command on a windoes and another remote fedora 8 system. Strange.

#==============================================================

# Using METHOD #1: (NO VIRTUAL)

#==============================================================

5) Using Firefox and URL: https://linux.cdkkt.com/svn <https://linux.cdkkt.com> results: Looks good. Looks like (1) above

6) Using local system command line in a terminal window: + svn list <https://linux.cdkkt.com/svn> Error validating server certificate for '<https://linux.cdkkt.com:443>': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! Certificate information:

- Hostname: linux.cdkkt.com
- Valid: from Wed, 06 Feb 2008 23:24:26 GMT until Sat, 03 Feb 2018 23:24:26 GMT
- Issuer: IT Department, DBT And Associates, Beaverton, Oregon, US
- Fingerprint: 17:ec:2d:2d:04:1d:ff:fa:4c:fe:6a:29:36:ac:58:e2:57:6b:5f:58

(R)eject, accept (t)emporarily or accept (p)ermanently? t Authentication realm: <https://linux.cdkkt.com:443> linux.cdkkt.com Password for 'root':
Authentication realm: <https://linux.cdkkt.com:443> linux.cdkkt.com Username: dant
Password for 'dant':
branches/
tags/
trunk/

Looks good. I can 'list' through the trunk all the way down to the single file.

7) Ok, now I want to check out a single file:

+ svn checkout <https://svn.cdkkt.com/svn/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c> svn: URL 'https://svn.cdkkt.com/svn/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c' refers to a file, not a directory

/var/log/httpd/modsec_audit.log

--2ae06c08-A--
[12/Feb/2008:15:33:04 --0800] emUSHQoBAI8AABarWncAAAAB 127.0.0.2 42525 127.0.0.2 443 --2ae06c08-B--
PROPFIND /svn/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c HTTP/1.1 Host: svn.cdkkt.com

User-Agent: SVN/1.4.4 (r25188) neon/0.27.2
Keep-Alive: 
Connection: TE, Keep-Alive

TE: trailers
Content-Length: 300
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip

--2ae06c08-F--
HTTP/1.1 401 Authorization Required
WWW-Authenticate: Basic realm="linux.cdkkt.com" Content-Length: 480
Connection: close
Content-Type: text/html; charset=iso-8859-1

--2ae06c08-H--
Stopwatch: 1202859184296477 2360 (- - -) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora)

--2ae06c08-Z--

Can we help you?

--2ae06c08-A--
[12/Feb/2008:15:33:04 --0800] emU4tgoBAI8AABatXNgAAAAD 127.0.0.2 42526 127.0.0.2 443 --2ae06c08-B--
PROPFIND /svn/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c HTTP/1.1 Host: svn.cdkkt.com

User-Agent: SVN/1.4.4 (r25188) neon/0.27.2
Keep-Alive: 
Connection: TE, Keep-Alive

TE: trailers
Content-Length: 300
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--2ae06c08-C--
<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><version-controlled-configuration xmlns="DAV:"/><resourcetype xmlns="DAV:"/><baseline-relative-path xmlns="http://subversion.tigris.org/xmlns/dav/"/><repository-uuid xmlns="<http://subversion.tigris.org/xmlns/dav/>"/></prop></propfind> --2ae06c08-F--
HTTP/1.1 207 Multi-Status
Content-Length: 728
Connection: close
Content-Type: text/xml; charset="utf-8"

--2ae06c08-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler
Stopwatch: 1202859184306358 18126 (4436* 4828 15844) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora)

--2ae06c08-Z--

--2ae06c08-A--
[12/Feb/2008:15:33:04 --0800] emWbzgoBAI8AABavYB4AAAAF 127.0.0.2 42527 127.0.0.2 443 --2ae06c08-B--
PROPFIND /svn/!svn/vcc/default HTTP/1.1
Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE
TE: trailers
Content-Length: 111
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--2ae06c08-C--
<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><checked-in xmlns="DAV:"/></prop></propfind> --2ae06c08-F--
HTTP/1.1 207 Multi-Status
Content-Length: 388
Connection: close
Content-Type: text/xml; charset="utf-8"

--2ae06c08-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler
Stopwatch: 1202859184331726 11347 (4209* 4620 9387) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora)

--2ae06c08-Z--

Can't find what you're looking for?

--2ae06c08-A--
[12/Feb/2008:15:33:04 --0800] emXhJwoBAI8AABauYi4AAAAE 127.0.0.2 42528 127.0.0.2 443 --2ae06c08-B--
PROPFIND /svn/!svn/bln/1 HTTP/1.1
Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE
TE: trailers
Content-Length: 148
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--2ae06c08-C--
<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><baseline-collection xmlns="DAV:"/><version-name xmlns="DAV:"/></prop></propfind> --2ae06c08-F--
HTTP/1.1 207 Multi-Status
Content-Length: 439
Connection: close
Content-Type: text/xml; charset="utf-8"

--2ae06c08-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler
Stopwatch: 1202859184349479 12331 (4224* 4596 10181) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora)

--2ae06c08-Z--

--2ae06c08-A--
[12/Feb/2008:15:33:04 --0800] emYpwwoBAI8AABawYuUAAAAG 127.0.0.2 42529 127.0.0.2 443 --2ae06c08-B--
PROPFIND /svn/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c HTTP/1.1 Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE
TE: trailers
Content-Length: 300
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--2ae06c08-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler
Stopwatch: 1202859184368067 17664 (4354* 4731 15507) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora)

--2ae06c08-Z--

Don't know where to look next?

--2ae06c08-A--
[12/Feb/2008:15:33:04 --0800] emaH6QoBAI8AABasY-AAAAAC 127.0.0.2 42530 127.0.0.2 443 --2ae06c08-B--
PROPFIND /svn/!svn/vcc/default HTTP/1.1
Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE
TE: trailers
Content-Length: 111
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--2ae06c08-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler
Stopwatch: 1202859184392169 11759 (4314* 4739 9642) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora)

--2ae06c08-Z--

--2ae06c08-A--
[12/Feb/2008:15:33:04 --0800] embPQQoBAI8AABaxZgoAAAAH 127.0.0.2 42531 127.0.0.2 443 --2ae06c08-B--
PROPFIND /svn/!svn/bln/1 HTTP/1.1
Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE
TE: trailers
Content-Length: 148
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--2ae06c08-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler
Stopwatch: 1202859184410433 12269 (4276* 4653 10248) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora)

--2ae06c08-Z--

Confused? Frustrated?

--e1292529-A--
[12/Feb/2008:15:33:04 --0800] emcYOAoBAI8AABaqWCcAAAAA 127.0.0.2 42532 127.0.0.2 443 --e1292529-B--
PROPFIND /svn/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c HTTP/1.1 Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE
TE: trailers
Content-Length: 300
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--e1292529-C--
<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><version-controlled-configuration xmlns="DAV:"/><resourcetype xmlns="DAV:"/><baseline-relative-path xmlns="http://subversion.tigris.org/xmlns/dav/"/><repository-uuid xmlns="<http://subversion.tigris.org/xmlns/dav/>"/></prop></propfind> --e1292529-F--
HTTP/1.1 207 Multi-Status
Content-Length: 728
Connection: close
Content-Type: text/xml; charset="utf-8"

--e1292529-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler
Stopwatch: 1202859184429112 17783 (4355* 4734 15503) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora)

--e1292529-Z--

--16284303-A--
[12/Feb/2008:15:33:04 --0800] emd2lgoBAI8AABarWngAAAAB 127.0.0.2 42533 127.0.0.2 443 --16284303-B--
PROPFIND /svn/!svn/vcc/default HTTP/1.1
Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE
TE: trailers
Content-Length: 111
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--16284303-C--
<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><checked-in xmlns="DAV:"/></prop></propfind> --16284303-F--
HTTP/1.1 207 Multi-Status
Content-Length: 388
Connection: close
Content-Type: text/xml; charset="utf-8"

--16284303-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler
Stopwatch: 1202859184453270 11334 (4206* 4572 9371) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora)

--16284303-Z--

Call Pantek today for Open Source Technical Support at 1-877-546-8934 - 24/7/365

--16284303-A--
[12/Feb/2008:15:33:04 --0800] eme8OQoBAI8AABatXNkAAAAD 127.0.0.2 42534 127.0.0.2 443 --16284303-B--
PROPFIND /svn/!svn/bln/1 HTTP/1.1
Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE
TE: trailers
Content-Length: 148
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--16284303-C--
<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><baseline-collection xmlns="DAV:"/><version-name xmlns="DAV:"/></prop></propfind> --16284303-F--
HTTP/1.1 207 Multi-Status
Content-Length: 439
Connection: close
Content-Type: text/xml; charset="utf-8"

--16284303-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler
Stopwatch: 1202859184471097 12251 (4221* 4688 10276) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora)

--16284303-Z--

--16284303-A--
[12/Feb/2008:15:33:04 --0800] emgFawoBAI8AABavYB8AAAAF 127.0.0.2 42535 127.0.0.2 443 --16284303-B--
PROPFIND /svn/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c HTTP/1.1 Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE
TE: trailers
Content-Length: 300
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--16284303-C--
<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><version-controlled-configuration xmlns="DAV:"/><resourcetype xmlns="DAV:"/><baseline-relative-path xmlns="http://subversion.tigris.org/xmlns/dav/"/><repository-uuid xmlns="<http://subversion.tigris.org/xmlns/dav/>"/></prop></propfind> --16284303-F--
HTTP/1.1 207 Multi-Status
Content-Length: 728
Connection: close
Content-Type: text/xml; charset="utf-8"

--16284303-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler
Stopwatch: 1202859184489835 17937 (4510* 4883 15644) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora)

--16284303-Z--

Do you need help?

--16284303-A--
[12/Feb/2008:15:33:04 --0800] emhl2goBAI8AABauYi8AAAAE 127.0.0.2 42536 127.0.0.2 443 --16284303-B--
PROPFIND /svn/!svn/vcc/default HTTP/1.1
Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE
TE: trailers
Content-Length: 148
Content-Type: text/xml
Label: 1
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--16284303-C--
<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><baseline-collection xmlns="DAV:"/><version-name xmlns="DAV:"/></prop></propfind> --16284303-F--
HTTP/1.1 207 Multi-Status
Vary: Label
Content-Length: 439
Connection: close
Content-Type: text/xml; charset="utf-8"

--16284303-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler
Stopwatch: 1202859184514522 12606 (4270* 4634 10434) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora)

--16284303-Z--

--16284303-A--
[12/Feb/2008:15:33:04 --0800] emiwOAoBAI8AABawYuYAAAAG 127.0.0.2 42537 127.0.0.2 443 --16284303-B--
PROPFIND /svn/!svn/bc/1/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c HTTP/1.1 Host: svn.cdkkt.com
User-Agent: SVN/1.4.4 (r25188) neon/0.27.2 Connection: TE
TE: trailers
Content-Length: 300
Content-Type: text/xml
Depth: 0
Accept-Encoding: gzip, gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--16284303-C--
<?xml version="1.0" encoding="utf-8"?><propfind xmlns="DAV:"><prop><version-controlled-configuration xmlns="DAV:"/><resourcetype xmlns="DAV:"/><baseline-relative-path xmlns="http://subversion.tigris.org/xmlns/dav/"/><repository-uuid xmlns="<http://subversion.tigris.org/xmlns/dav/>"/></prop></propfind> --16284303-F--
HTTP/1.1 207 Multi-Status
Content-Length: 738
Connection: close
Content-Type: text/xml; charset="utf-8"

--16284303-H--
Message: Access allowed (phase 2). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [id "1"] [msg "SVN request, allow it."] Apache-Handler: dav-handler
Stopwatch: 1202859184533560 17668 (4325* 4731 15524) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora)

--16284303-Z--

Do you need more help?

--4282643b-A--
[12/Feb/2008:15:25:50 --0800] YINzxAoBAI8AABavYAwAAAAF 10.1.0.11 3755 10.1.0.143 443 --4282643b-B--
GET /svn/!svn/bc/1/trunk/Eclipse/C/Examples/HelloWorld/HelloWorld.c HTTP/1.1 Host: linux
User-Agent: SVN/1.4.5 (r25188) neon/0.26.3 Connection: TE
TE: trailers
Accept-Encoding: gzip
Authorization: Basic ZGFudDpmcmVlMmJlbWU=

--4282643b-F--
HTTP/1.1 400 Bad Request
Content-Length: 297
Connection: close
Content-Type: text/html; charset=iso-8859-1

--4282643b-H--
Message: Access denied with code 400 (phase 2). Match of "rx ^[a-z]{3,10}\\s*(?:\\w{3,7}?\\:\\/\\/[\\w\\-\\.\\/]*)??\\/[\\w\\-\\.\\/~%:@&=+$,;]*(?:\\?[\\S]*)??\\s*http\\/\\d\\.\\d$" against "REQUEST_LINE" required. [id "960911"] [msg "Invalid HTTP Request Line"] [severity "CRITICAL"] Action: Intercepted (phase 2)
Stopwatch: 1202858750079940 6090 (4008 4560 -) Producer: ModSecurity v2.1.3 (Apache 2.x) Server: Apache/2.2.6 (Fedora)

--4282643b-Z--

So what gives here? Why can I NOT checkout a single file? Moving on...

8) Firefox, URL: https://linux.cdkkt.com, on a remote system. Works. Same as: (1) above

9) Same as (6) above, but remotely
It works.

5) Same as (7) but remotely
Same error. Cannot checkout the file.

Can we help you?

6) ECLIPSE:
a) Try adding URL: https://linux.cdkkt.com to Eclipse Works.
b) Try to checkout the HelloWorld.c file Fails:
Error opening the Editor. (Timeout error: <Date>) Reason: java.lang.NullPointerException

I suspect for the same Mod_security error reason as (3) and (5) above.

So at this point, I METHOD #1 is able to remotely access the SVN repository as opposed to METHOD #2. I think with METHOD #2, I could not get the DNS to work so that svn.cdkkt.com can access the snv repository instead of my website (www) as with trac.cdkkt.com, so neither svn nor trac is accessable anywhere but locally. Finally, regardless of which method is used, I cannot checkout a single file for editing.

Dan

No virus found in this outgoing message. Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.20.4/1275 - Release Date: 2/12/2008 3:20 PM

-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: 
https://www.redhat.com/mailman/listinfo/fedora-list

Received on Wed Feb 13 10:51:46 2008

This message: [ Message body ]
Next message: Sieranski, Greg: "Re: x86_64/i386"
Previous message: Aaron Konstam: "sound .- THE SOLUTION AT LAST (PLEASE NOTE)"
Maybe in reply to: Daniel B. Thurman: "[F8] Apache Mod_Security and SubVersion"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Thu May 29 2008 - 09:10:25 EDT