Discussion:
SASL Encrpytion Not Working
TomDeWord
2008-07-30 14:01:00 UTC
Permalink
Hi There, I cannot get SASL Encrpytion working on Windows with
TortoiseSVN 1.5.x.

I logged a problem here, on the July 15th but without any success:
http://subversion.open.collab.net/ds/viewMessage.do?dsForumId=3&dsMessageId=100218

In summary; I have SASL authentication up and running on Windows using
both Tigris & Collabnet Win32 distributions of SVN 1.5.0 server.
However when I enable encryption by setting the following in
svnserve.conf:

min-encryption = 128
max-encryption = 256

I get the following error in the Tortoise repro browser 1.5.0:

SASL(-1): generic failure: Unable to find a callback: 2

If I change the 128 to 1 (so it just uses integrity checks) it works
fine (but I assume without encryption).

I'm using the following in svn.conf:

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: DIGEST-MD5
sasldb_path: c:\repro


I see from the change log in TortoiseSVN 1.5.1 the following entry:
- CHG: The saslDIGESTMD5.dll has now encryption enabled. (Stefan)

I've upgraded the Tortoise client to 1.5.1 but still have the same
problem, is it possible that I need to upgrade the server to 1.5.1 as
well - although there is no official binary yet.

Has anyone got SASL Encrpytion working on Windows? Is there a log file
for SASL? Any help would be greatly appreciated.

Regards,

Tom
Stefan Küng
2008-07-30 20:36:12 UTC
Permalink
Post by TomDeWord
Hi There, I cannot get SASL Encrpytion working on Windows with
TortoiseSVN 1.5.x.
http://subversion.open.collab.net/ds/viewMessage.do?dsForumId=3&dsMessageId=100218
In summary; I have SASL authentication up and running on Windows using
both Tigris & Collabnet Win32 distributions of SVN 1.5.0 server.
However when I enable encryption by setting the following in
min-encryption = 128
max-encryption = 256
SASL(-1): generic failure: Unable to find a callback: 2
If I change the 128 to 1 (so it just uses integrity checks) it works
fine (but I assume without encryption).
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: DIGEST-MD5
sasldb_path: c:\repro
- CHG: The saslDIGESTMD5.dll has now encryption enabled. (Stefan)
I've upgraded the Tortoise client to 1.5.1 but still have the same
problem, is it possible that I need to upgrade the server to 1.5.1 as
well - although there is no official binary yet.
I just tested this with the opencollab.net server which is build from
svn 1.5.0. It works fine with TSVN 1.5.1.
I only got the same error as you when I didn't pass the correct
username, or when I first forgot to create the password without
specifying the repository realm.
Please have a look at the Subversion book on how to configure your
server correctly.

Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
TomDeWord
2008-08-01 11:29:30 UTC
Permalink
Post by Stefan Küng
I just tested this with the opencollab.net server which is build from
svn 1.5.0. It works fine with TSVN 1.5.1.
I only got the same error as you when I didn't pass the correct
username, or when I first forgot to create the password without
specifying the repository realm.
Please have a look at the Subversion book on how to configure your
server correctly.
Stefan
Thanks for taking the time to check this Stefan; as you've confirmed
that it does work I retried the following:

I created a repository from scratch and setup it up as a service:

sc create svnserve binpath= "d:\svn\bin\svnserve.exe --service --root
D:\svn\testRepro" displayname= "Subversion" depend= tcpip start= auto

svnserve.conf (in D:\svn\testRepro\conf) contains:

[general]
realm=home

I created a new user:

saslpasswd2.exe -c -f "D:\svn\testRepro\sasldb" -u home jonus

sasldblistusers2 -f "D:\svn\testRepro\sasldb"

gives:

***@home: userPassword

I have the following in the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Carnegie Mellon\Project Cyrus\SASL
Library]
"SearchPath"="D:\\svn\\bin"
"ConfFile"="D:\\svn\\testRepro"

svn.conf (in D:\svn\testRepro) contains:

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: DIGEST-MD5
sasldb_path: D:\svn\testRepro\sasldb

I then enter svn://localhost into the repro browser:

if I set use-sasl to false I get an expected 'No access allowed to
this repository' message as anon-access is set to none.
if I set use-sasl to true with min-encryption set to 1 I get an
authentication diaglog: <svn://localhost:3690> home
I enter the username of ***@home & the password, check save
authentication and hit ok; this accesses the repository fine.

As far as I can see the username, password & realm are setup fine and
I must be using SASL authentication as the user jonus only exists in
the sasldb and anon-access is set to none. If seesm to only be a
problem with the encrpytion not the authentication.

If I change min-encryption to 128 I get the error: SASL(-1): generic
failure: Unable to find a callback: 2

I've gone over the instructions multiple times and can see nothing to
change, can you see anything I've missed? Thanks for you help.

Regards

Tom
Stefan Küng
2008-08-01 16:19:05 UTC
Permalink
Post by TomDeWord
Post by Stefan Küng
I just tested this with the opencollab.net server which is build from
svn 1.5.0. It works fine with TSVN 1.5.1.
I only got the same error as you when I didn't pass the correct
username, or when I first forgot to create the password without
specifying the repository realm.
Please have a look at the Subversion book on how to configure your
server correctly.
Stefan
Thanks for taking the time to check this Stefan; as you've confirmed
[snip]
Post by TomDeWord
If I change min-encryption to 128 I get the error: SASL(-1): generic
failure: Unable to find a callback: 2
That error only tells that HAVE_SYSLOG was not defined when compiling
sasl - really stupid: it rather should return the real error
(HAVE_SYSLOG can't be defined on Windows because it doesn't have syslog.h).
Post by TomDeWord
I've gone over the instructions multiple times and can see nothing to
change, can you see anything I've missed? Thanks for you help.
I got to reproduce the problem and while it took me quite a while to
figure out the problem, I got it now:
the reason it does not work is because your server is configured to
provide encryption with RC4, but our dlls are compiled only to use DES
encryption (which is a *lot* better).
I've now enabled RC4 in our sasl dlls too, so it should work with your
configuration too.

I'm currently running some more tests before I commit that change. You
can expect a new 1.5.x nightly in a few hours...

Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
TomDeWord
2008-08-01 23:00:00 UTC
Permalink
Excellent detective work Stefan, I've downloaded and tried the
currently nightly build (TortoiseSVN 1.5.2, Build 13608 - 32 Bit -dev,
2008/08/01 18:41:21) and all seems to be working well with min/max-
encryption set to 128/256 (although I've not snooped the svn traffic
to confirm that it's actually encrypted!); did a simple commit &
compare with no corruption.

Is there a way to change the server to use DES over RC4 or does this
require a rebuild of the core SVN distro?

Tom
Post by Stefan Küng
I got to reproduce the problem and while it took me quite a while to
the reason it does not work is because your server is configured to
provide encryption with RC4, but our dlls are compiled only to use DES
encryption (which is a *lot* better).
I've now enabled RC4 in our sasl dlls too, so it should work with your
configuration too.
I'm currently running some more tests before I commit that change. You
can expect a new 1.5.x nightly in a few hours...
Stefan
Stefan Küng
2008-08-02 07:43:57 UTC
Permalink
Post by TomDeWord
Excellent detective work Stefan, I've downloaded and tried the
currently nightly build (TortoiseSVN 1.5.2, Build 13608 - 32 Bit -dev,
2008/08/01 18:41:21) and all seems to be working well with min/max-
encryption set to 128/256 (although I've not snooped the svn traffic
to confirm that it's actually encrypted!); did a simple commit &
compare with no corruption.
Is there a way to change the server to use DES over RC4 or does this
require a rebuild of the core SVN distro?
I don't know if you can configure the official svn build to use DES. I
thought that it would use DES by default, but apparently DES only worked
with TSVN when I used the svnserve I built myself (which had RC4 not
built in).
Since TSVN does not work with the collab.net build, I have to assume
that they didn't build DES support into their binaries. If they had, I
would assume that server and client would negotiate about what
encryption type to use.

Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
Sparrow Hawk
2008-08-04 10:39:47 UTC
Permalink
I still have problem on SALS.
I compiled the tarball of the svn-1.5.1 r32289 under slackware 12

I downloaded the latest :
TortoiseSVN 1.5.2, Build 13595 - 32 Bit , 2008/07/31 17:04:57

I set up the svnserve.conf like:
use-sasl = true
min-encryption = 128
max-encryption = 256

/usr/lib/sasl2/subversion.conf:
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: CRAM-MD5 #DIGEST_MD5 is the same

the CollabNet's svn command-line client (svn.exe) could work with this
configuration,

but the TortoiseSVN could not.

I can't figure out the problem.
Post by Stefan Küng
Post by TomDeWord
Excellent detective work Stefan, I've downloaded and tried the
currently nightly build (TortoiseSVN 1.5.2, Build 13608 - 32 Bit -dev,
2008/08/01 18:41:21) and all seems to be working well with min/max-
encryption set to 128/256 (although I've not snooped the svn traffic
to confirm that it's actually encrypted!); did a simple commit &
compare with no corruption.
Is there a way to change the server to use DES over RC4 or does this
require a rebuild of the core SVN distro?
I don't know if you can configure the official svn build to use DES. I
thought that it would use DES by default, but apparently DES only worked
with TSVN when I used the svnserve I built myself (which had RC4 not
built in).
Since TSVN does not work with the collab.net build, I have to assume
that they didn't build DES support into their binaries. If they had, I
would assume that server and client would negotiate about what
encryption type to use.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
signature.asc
1K下载
TomDeWord
2008-08-05 15:45:22 UTC
Permalink
Please see above; Stefan produced a release candidate build of 1.5.2 -
Build 13608 (available from the nightly builds) which includes support
for RC4 encryption - you've installed build 13595 which doesn't have
the fix (maybe it will officially arrive in 1.5.3).

Regards

Tom
Post by Sparrow Hawk
I still have problem on SALS.
I compiled the tarball of the svn-1.5.1 r32289 under slackware 12
TortoiseSVN 1.5.2, Build 13595 - 32 Bit , 2008/07/31 17:04:57
use-sasl = true
min-encryption = 128
max-encryption = 256
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: CRAM-MD5 #DIGEST_MD5 is the same
the CollabNet's svn command-line client (svn.exe) could work with this
configuration,
but the TortoiseSVN could not.
I can't figure out the problem.
Post by Stefan Küng
Post by TomDeWord
Excellent detective work Stefan, I've downloaded and tried the
currently nightly build (TortoiseSVN 1.5.2, Build 13608 - 32 Bit -dev,
2008/08/01 18:41:21) and all seems to be working well with min/max-
encryption set to 128/256 (although I've not snooped the svn traffic
to confirm that it's actually encrypted!); did a simple commit &
compare with no corruption.
Is there a way to change the server to use DES over RC4 or does this
require a rebuild of the core SVN distro?
I don't know if you can configure the official svn build to use DES. I
thought that it would use DES by default, but apparently DES only worked
with TSVN when I used the svnserve I built myself (which had RC4 not
built in).
Since TSVN does not work with the collab.net build, I have to assume
that they didn't build DES support into their binaries. If they had, I
would assume that server and client would negotiate about what
encryption type to use.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
signature.asc
1K下载
---------------------------------------------------------------------
- Show quoted text -
Sparrow Hawk
2008-08-07 01:02:50 UTC
Permalink
Thank you !
Post by TomDeWord
Please see above; Stefan produced a release candidate build of 1.5.2 -
Build 13608 (available from the nightly builds) which includes support
for RC4 encryption - you've installed build 13595 which doesn't have
the fix (maybe it will officially arrive in 1.5.3).
Regards
Tom
Post by Sparrow Hawk
I still have problem on SALS.
I compiled the tarball of the svn-1.5.1 r32289 under slackware 12
TortoiseSVN 1.5.2, Build 13595 - 32 Bit , 2008/07/31 17:04:57
use-sasl = true
min-encryption = 128
max-encryption = 256
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: CRAM-MD5 #DIGEST_MD5 is the same
the CollabNet's svn command-line client (svn.exe) could work with this
configuration,
but the TortoiseSVN could not.
I can't figure out the problem.
Post by Stefan Küng
Post by TomDeWord
Excellent detective work Stefan, I've downloaded and tried the
currently nightly build (TortoiseSVN 1.5.2, Build 13608 - 32 Bit -dev,
2008/08/01 18:41:21) and all seems to be working well with min/max-
encryption set to 128/256 (although I've not snooped the svn traffic
to confirm that it's actually encrypted!); did a simple commit &
compare with no corruption.
Is there a way to change the server to use DES over RC4 or does this
require a rebuild of the core SVN distro?
I don't know if you can configure the official svn build to use DES. I
thought that it would use DES by default, but apparently DES only worked
with TSVN when I used the svnserve I built myself (which had RC4 not
built in).
Since TSVN does not work with the collab.net build, I have to assume
that they didn't build DES support into their binaries. If they had, I
would assume that server and client would negotiate about what
encryption type to use.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
signature.asc
1K下载
---------------------------------------------------------------------
- Show quoted text -
---------------------------------------------------------------------
Loading...