[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] get-location-segments.py would work on self-signed ssl servers too

From: Prabhu Gnana Sundar <prabhugs_at_collab.net>
Date: Fri, 02 Sep 2011 16:18:33 +0530

Thanks Vijay for the detailed explanation...

I am attaching the patch for the script with minor tweaks...

Regards
Prabhu

On Friday 02 September 2011 04:13 PM, vijay wrote:
>
> Actually, there are two issues to be noted.
>
> 1.Bug with neon (Reproducible in Ubuntu 10.10, svn 1.6.12, neon
> 0.29.3/GNUTLS)
>
> 2.Bug with openssl (Reproducible in Ubuntu 10.10, neon 0.29.x/openssl
> 0.9.8o)
>
>
> Bug with neon (Reproducible in Ubuntu 10.10, neon 0.29.3/GNUTLS)
> ---------------------------------------------------------------------------------------
>
> Even my svn 1.6 command line binary that comes with Ubuntu 10.10 fails
> with following error while accessing "https://svn.eu.apache.org"
>
> $ svn info https://svn.eu.apache.org/repos/asf/subversion/README
> svn: OPTIONS of
> 'https://svn.eu.apache.org/repos/asf/subversion/README': SSL handshake
> failed: SSL error: A TLS warning alert has been received.
> (https://svn.eu.apache.org)
>
> This is due to a bug[1] reported in neon-GNUTLS combination. It is
> fixed in neon 0.29.5.
>
> The version of our distro's neon is 0.29.3. If we upgrade the neon
> library, the issue will be fixed.
>
> Bug with openssl (Reproducible in Ubuntu 10.10, neon 0.29.x/openssl
> 0.9.8o)
> -------------------------------------------------------------------------------------------------
>
> I built subversion trunk with neon 0.29.6 and openssl 0.9.8o. I got
> the following error message.
>
> svn: E175002: Unable to connect to a repository at URL
> 'https://svn.eu.apache.org/repos/asf/subversion'
> svn: E175002: OPTIONS of
> 'https://svn.eu.apache.org/repos/asf/subversion': SSL handshake
> failed: SSL error code -1/1/336032856 (https://svn.eu.apache.org)
>
> openssl 0.9.8o has TLS Extensions support but it is broken there.
>
> TLS Extensions support was added to openssl in 2006 itself.[openssl
> 0.9.8o was released in 2010]
>
> <snip-from-log>
> revision 1.33
> date: 2006-01-03 04:44:32 +0530; author: bodo; state: Exp; lines:
> +12 -0; commitid: 5gJcTq6NJelx15gr;
> Support TLS extensions (specifically, HostName)
>
> Submitted by: Peter Sylvester
> ----------------------------
> </snip>
>
> Why we say it is broken?
> -------------------------------
> The server "svn.eu.apache.org" or "svn.us.apache.org" sends an alert
> message during SSL handshake.
>
> We can look at it in the following ssldump output.
>
> <snip>
> vijayaguru_at_maverick:~/svn-sandbox/Dependencies-Untarred/openssl-0.9.8o/ssl$
> sudo ssldump -i eth2 host svn.eu.apache.org
> New TCP connection #1: maverick(35789) <-> harmonia.apache.org(443)
> 1 1 0.4067 (0.4067) C>S Handshake
> ClientHello
> Version 3.1
> cipher suites
> Unknown value 0xc014
> Unknown value 0xc00a
> Unknown value 0x39
> Unknown value 0x38
> Unknown value 0x88
> Unknown value 0x87
> Unknown value 0xc00f
> Unknown value 0xc005
> Unknown value 0x35
> Unknown value 0x84
> Unknown value 0xc012
> Unknown value 0xc008
> TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
> Unknown value 0xc00d
> Unknown value 0xc003
> TLS_RSA_WITH_3DES_EDE_CBC_SHA
> Unknown value 0xc013
> Unknown value 0xc009
> Unknown value 0x33
> Unknown value 0x32
> Unknown value 0x9a
> Unknown value 0x99
> Unknown value 0x45
> Unknown value 0x44
> Unknown value 0xc00e
> Unknown value 0xc004
> Unknown value 0x2f
> Unknown value 0x96
> Unknown value 0x41
> TLS_RSA_WITH_IDEA_CBC_SHA
> Unknown value 0xc011
> Unknown value 0xc007
> Unknown value 0xc00c
> Unknown value 0xc002
> TLS_RSA_WITH_RC4_128_SHA
> TLS_RSA_WITH_RC4_128_MD5
> TLS_DHE_RSA_WITH_DES_CBC_SHA
> TLS_DHE_DSS_WITH_DES_CBC_SHA
> TLS_RSA_WITH_DES_CBC_SHA
> TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
> TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
> TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
> TLS_RSA_EXPORT_WITH_RC4_40_MD5
> Unknown value 0xff
> compression methods
> NULL
> * 1 2 0.8245 (0.4177) S>C Alert *
> level warning
> value unknown value
> </snip>
>
> What does this alert message refer to?
> -------------------------------------------------
> <snip>
>
> From
> _http://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_record_protocol_
> Alert protocol
>
> This record should normally not be sent during normal handshaking or
> application exchanges. However, this message can be sent at any time
> during the handshake and up to the closure of the session. If this is
> used to signal a fatal error, the session will be closed immediately
> after sending this record, so this record is used to give a reason for
> this closure. If the alert level is flagged as a warning, the remote
> can decide to close the session if it decides that the session is not
> reliable enough for its needs (before doing so, the remote may also
> send its own signal).
> </snip>
>
> There are two alert level types.
>
> 1.Warning
> 2.fatal
>
> openssl 1.0.0d handles warning and fatal alert types in different ways.
>
> 1. If it is fatal, terminate the session.
>
> 2.If it is warning, resume it.
>
> You can look at it in "{openssl-src-dir}/ssl/s23_clnt.c:
> ssl23_get_server_hello()"
>
> But openssl 0.9.8o terminates the session if it receives an alert
> message; no matter the level of alert.
>
> Here, in this case, the level of alert is "Warning".
> With openssl 0.9.8o, the connection is closed immediately. We see the
> following error message.
>
> <snip>
> svn: E175002: Unable to connect to a repository at URL
> 'https://svn.eu.apache.org/repos/asf/subversion'
> svn: E175002: OPTIONS of
> 'https://svn.eu.apache.org/repos/asf/subversion': SSL handshake
> failed: SSL error code -1/1/336032856 (https://svn.eu.apache.org)
> </snip>
>
> openssl 1.0.0d proceeds further and we could successfully complete our
> svn operation.
>
> Upgrading openssl to 1.0.0d will fix this issue.
>
> Thanks Daniel. It is a very good learning for us.
>
> [1] https://bugs.launchpad.net/ubuntu/+source/subversion/+bug/294648
>
> Thanks & Regards,
> Vijayaguru

Received on 2011-09-02 12:49:19 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.