[cvsnt] Re: Sserver authentification problem

Cedric GROSS Cedric.Gross at cnv.fr
Fri Jun 18 12:37:28 BST 2004



>
> > There are crypted with a passphrase, is it the problem ? (It's
> recommend in
> > installation document for linux) or it's because client can't obtain
> > certificat ?
>
> Yes, cvsnt can't use them.  This is mentioned on the installation
> document I
> think.

I use a not crypted cert but change nothing

>
> There's no point in putting a passphrase on certificates that are
> used for a
> server, as you would have to store the passphrase in plaintext on
> the server
> anyway - negating any advantage you get from the passphrase in
> the first place.
>
> > I'm running cvsnt 2.0.34 on FreeBSD 5.2.1.
>
> That's quite old...  It should work though (2.0.41 has slightly
> better logging
> of the server side errors).

Upgraded but change nothing also.

It's seems that is a protocol version problem, I used openssl s_client to
test, here is trace :
#/usr/local/bin/openssl s_client -connect 10.0.0.12:2402 -state -debug
CONNECTED(00000005)
SSL_connect:before/connect initialization
write to 080B5280 [080CB000] (148 bytes => 148 (0x94))
0000 - 80 92 01 03 01 00 69 00-00 00 20 00 00 39 00 00   ......i... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03   ..3..2../.......
0030 - 00 80 00 00 66 00 00 05-00 00 04 01 00 80 08 00   ....f...........
0040 - 80 00 00 63 00 00 62 00-00 61 00 00 15 00 00 12   ...c..b..a......
0050 - 00 00 09 06 00 40 00 00-65 00 00 64 00 00 60 00   ..... at ..e..d..`.
0060 - 00 14 00 00 11 00 00 08-00 00 06 04 00 80 00 00   ................
0070 - 03 02 00 80 1b b2 9e b6-34 63 e4 05 b2 ce 6e 24   ........4c....n$
0080 - 72 f8 ec 11 ca b5 dd 21-92 fa 54 7f 70 29 a7 e7   r......!..T.p)..
0090 - 05 bd 1d fc                                       ....
SSL_connect:SSLv2/v3 write client hello A
read from 080B5280 [080D1000] (7 bytes => 7 (0x7))
0000 - 43 56 53 4c 6f 63 6b                              CVSLock
SSL_connect:error in SSLv2/v3 read server hello A
48516:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:475:

And if I specify use of ssl2 :
#/usr/local/bin/openssl s_client -connect 10.0.0.12:2402 -state -debug
CONNECTED(00000005)
SSL_connect:before/connect initialization
write to 080B5300 [080D4001] (51 bytes => 51 (0x33))
0000 - 80 31 01 00 02 00 18 00-00 00 10 07 00 c0 05 00   .1..............
0010 - 80 03 00 80 01 00 80 08-00 80 06 00 40 04 00 80   ............ at ...
0020 - 02 00 80 a3 33 c6 9c 6a-8f cf 77 69 ad 0b 97 45   ....3..j..wi...E
0030 - 94 e9                                             ..
0033 - <SPACES/NULS>
SSL_connect:SSLv2 write client hello A
read from 080B5300 [080CB000] (2 bytes => 2 (0x2))
0000 - 43 56                                             CV
read from 080B5300 [080CB002] (855 bytes => 16 (0x10))
0000 - 53 4c 6f 63 6b 20 32 2e-30 20 52 65 61 64 79 0a   SLock 2.0 Ready.

So it's seems to work better but how to specify use of ssl2 in CVSROOT
syntax, I try :sserver;ssl2: ... but it's not working

Ps I try on port 2401 where is running cvs in xinetd and its excatly the
same thing.

I'm running Openssl 0.9.7c and I try also with 0.9.7d

Thanks for help.




More information about the cvsnt mailing list