Re: Secure connection truncated due to libneon and 1.6.4

From: Michael Diers <mdiers_at_elego.de>
Date: Wed, 02 Sep 2009 12:58:31 +0200

Chris Nagele wrote:
> We've been trying to fix a strange issue at Beanstalk after migrating
> to Rackspace. I want to share the experience as it might help others.
>
> PROBLEM
>
> A small group of users were getting this error upon connecting to svn:
>
> svn: OPTIONS of
> 'https://myaccount.svn.beanstalkapp.com/myproject/trunk': SSL
> negotiation failed: Secure connection truncated
> (https://myaccount.svn.beanstalkapp.com)
>
> We found some commonality between them:
>
> * Using Ubuntu 9.04, Fedora 11, Debian 5
> * Using SVN 1.5 client or later
>
> It worked with:
> * ubuntu 8.04 - subversion 1.4.6
>
> A customer compiled Subversion against serf and it worked for him. He
> used libssl 0.9.8 and libserf instead of libneon.
>
> SOLUTION
>
> We have a Cisco load balancer (CSS) and had the ssl traffic decrypted
> there instead of doing it on the servers. The problem is that the CSS
> can't support TLS 1.1 connections. To fix this, we need to move SSL
> back to each server instance.
>
> We tested and this problem did not exist with the server using 1.6.3.
> I read that this is to due to supporting only serf in 1.6.4, but I am
> not sure. Ideally we would like to still use the CSS. If anyone has a
> recommendation it would be greatly appreciated.

Chris,

Debian and Ubuntu have switched to using libneon27-gnutls instead of
libneon27, so neon is now using GNU TLS instead of OpenSSL. There are
open bugs concerning SSL issues with this configuration, although it's
usually to do with client certificates.

https://bugs.launchpad.net/bugs/480041

Note that Subversion in Ubuntu 8.04 is in fact using libneon27 (or
libneon26, I forget), the OpenSSL version of neon.

As mentioned in the above bug report, you could try this as a workaround:

* install libneon27 (in addition to libneon27-gnutls)
* LD_PRELOAD=/usr/lib/libneon.so.27 svn ...

-- 
Michael Diers, elego Software Solutions GmbH, http://www.elego.de
------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2390133
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].

Received on 2009-09-02 13:00:04 CEST

This message: [ Message body ]
Next message: Ignacio G. T.: "Re: looking for one word to encompass trunk, tag and branch_53201"
Previous message: Radomir Zoltowski: "Re: Apache Error after upgrading from 1.4.3 to 1.5.7"
In reply to: Chris Nagele: "Secure connection truncated due to libneon and 1.6.4"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]