[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: subversion client having issues talking to subversion repository over HTTPS via proxy

From: Lieven Govaerts <lgo_at_apache.org>
Date: Wed, 3 Jul 2013 15:26:16 +0200

Hi,

On Tue, Jun 25, 2013 at 11:17 PM, Lieven Govaerts
<lieven.govaerts_at_gmail.com> wrote:
> Hi,
>
> On Tue, Jun 25, 2013 at 9:37 PM, Greg Stein <gstein_at_gmail.com> wrote:
>> Ashish,
>>
>> This is normally a question for users@, but I think Lieven was working
>> on something exactly like this already. I've cc'd him for more detail.
>
> Ashish already reported this in the serf issue tracker:
> https://code.google.com/p/serf/issues/detail?id=83#c6
>
> The reason I asked him to report here, is that I think the issue
> scenario can be summarized to this:
>
> svn+ra_serf using an ssl tunnel don't work if the server has KeepAlive
> off. The error reported is '501 Not Implemented'.
>
> Such status code is not handled within serf or subversion.
>
> Now I'm trying to reproduce this but I don't have the right setup
> available, so this has to wait until the weekend when I have some more
> time.

I was able to reproduce this issue: https server with basic
authentication and KeepAlive Off, behind a http proxy.

The scenario is exactly as how Ashish described it, the OPTIONS
request is not sent over the ssl tunnel to the server, but directly to
the proxy.
The root cause is that the OPTIONS request, retried because of the
authentication failure, was added in the queue for the new connection
before the CONNECT request. When serf then opens a socket to connect
to the proxy, it will first send the OPTIONS request.

This issue has been fixed in r1991 on serf trunk, and I'll propose it
for backport to serf 1.3.0.

Thanks for the report Ashish!

Lieven

> Svn connecting directly to a repository on a server with KeepAlive off
> does the right thing though. Here svn always send one OPTIONS request
> and waits for the response, so the server can gracefully close the
> connection after its first response. For all other connections that
> seems to work too.
>
> To be investigated.
>
> Lieven
>
>> Cheers,
>> -g
>>
>> On Tue, Jun 25, 2013 at 12:09 PM, Ashish SHUKLA <ashish.is_at_lostca.se> wrote:
>>> Hi,
>>>
>>> I'm having problems connecting my subversion client to talk to my subversion
>>> repositories over HTTPS. I've two subversion repositories (version 1.7), both
>>> of which require HTTP Basic authentication, on different hosts.
>>>
>>> On my client-side, I've a ~/.subversion/servers file configured to use HTTP
>>> proxy, a polipo instance running locally. Now when I connect to repository A
>>> using subversion client, it works fine. But when I connect to repository B, I
>>> get HTTP Error "501 Method Not Implemented".
>>>
>>> I truss-ed the polipo instance, and noticed that when subversion client
>>> connects to repository A, it sends "CONNECT repository-a.domain.tld:443..."
>>> request to proxy, and then uses that throughout the session. Whereas when
>>> subversion client connects to repository B, it sends "CONNECT
>>> repository-b.domain.tld:443..." to proxy, and after that it sends "OPTIONS
>>> https://repository-b.domain.tld/ HTTP/1.1\r\nWWW-Authenticate:....\r\n" to
>>> proxy to which proxy responds with "501 Method Not Implemented".
>>>
>>> I looked at httpd configurations of both hosts, and found that repository-a's
>>> httpd is having "KeepAlive On", whereas repository-b's httpd has it Off. I
>>> added "KeepAlive On" on repository-b's httpd, and it started working as well.
>>>
>>> So from what I understand about this problem, is that svn client should have
>>> sent 2nd request OPTIONS request also in a CONNECT request. I used subversion
>>> 1.7, as well as 1.8 to test it.
>>>
>>> I could file a bug-report if it seems like bug.
>>>
>>> I'm not part of the list, so if you could Cc me in replies, it would be great.
>>>
>>> Thanks
>>> --
>>> Ashish SHUKLA
>>>
>>> “Fashion is a form of ugliness so intolerable that we have to alter it every six
>>> months.” (Oscar Wilde)
>>>
>>> Sent from my Emacs
Received on 2013-07-03 15:27:07 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.