[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Bug report: Regression SVN Client, SSL, Serf 1.3.9-3, SSLVerifyClient require

From: Folker Schamel <schamel23_at_spinor.com>
Date: Tue, 31 Jul 2018 15:56:11 +0200

Hello everyone,

After upgrading, Subversion SSL connections with "SSLVerifyClient
require" seem to be broken.

Broken: SVN Client 1.9.5, Serf 1.3.9-3, Server "SSLVerifyClient require"
Works:  SVN Client 1.9.5, Serf 1.3.9-3, Server "SSLVerifyClient off"
Works:  SVN Client 1.9.5, Serf 1.3.8-1, Server "SSLVerifyClient require"

For the broken setup, the client reports:
svn: E120171: Error running context: An error occurred during SSL
communication
And the server Apache log reports:
ssl_engine_io.c(1308): (70014)End of file found: [client xxxxx:xxxxx]
AH02007: SSL handshake interrupted by system [Hint: Stop button pressed
in browser?!]

Using the latest TortoiseSVN client reports the same problem, presumably
the same cause.
Additional details below.

Can I help with additional information?

Btw, thanks a lot to all Subversion developers and contributors for the
awesome work!!!

Cheers,
Folker

***** Client-side recipt (latest Debian stretch):

root_at_xxxxx:/# apt-get install libserf-1-1=1.3.8-1
.....
root_at_xxxxx:/# svn --version
svn, version 1.9.5 (r1770682)
    compiled Jun 30 2018, 13:44:22 on x86_64-pc-linux-gnu

Copyright (C) 2016 The Apache Software Foundation.
This software consists of contributions made by many people;
see the NOTICE file for more information.
Subversion is open source software, see http://subversion.apache.org/

The following repository access (RA) modules are available:

* ra_svn : Module for accessing a repository using the svn network protocol.
   - with Cyrus SASL authentication
   - handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
   - handles 'file' scheme
* ra_serf : Module for accessing a repository via WebDAV protocol using
serf.
   - using serf 1.3.8 (compiled with 1.3.9)
   - handles 'http' scheme
   - handles 'https' scheme

The following authentication credential caches are available:

* Plaintext cache in /root/.subversion
* Gnome Keyring
* GPG-Agent
* KWallet (KDE)

root_at_xxxxx:/# svn update
Updating '.':
At revision 828.
root_at_xxxxx:/# apt-get install libserf-1-1=1.3.9-3
.....
root_at_xxxxx:/# svn --version
svn, version 1.9.5 (r1770682)
    compiled Jun 30 2018, 13:44:22 on x86_64-pc-linux-gnu

Copyright (C) 2016 The Apache Software Foundation.
This software consists of contributions made by many people;
see the NOTICE file for more information.
Subversion is open source software, see http://subversion.apache.org/

The following repository access (RA) modules are available:

* ra_svn : Module for accessing a repository using the svn network protocol.
   - with Cyrus SASL authentication
   - handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
   - handles 'file' scheme
* ra_serf : Module for accessing a repository via WebDAV protocol using
serf.
   - using serf 1.3.9 (compiled with 1.3.9)
   - handles 'http' scheme
   - handles 'https' scheme

The following authentication credential caches are available:

* Plaintext cache in /root/.subversion
* Gnome Keyring
* GPG-Agent
* KWallet (KDE)

root_at_xxxxx:/# svn update
Updating '.':
svn: E170013: Unable to connect to a repository at URL
'https://xxxxx/xxxxx/xxxxx'
svn: E120171: Error running context: An error occurred during SSL
communication
root_at_xxxxx:/#

***** Client-side recipt continuation after SSLVerifyClient require -> off

root_at_xxxxx:/# svn update
Updating '.':
At revision 828.
root_at_xxxxx:/#

***** Server-side ssl-error.log:

...
[Tue Jul 31 15:30:43.885515 2018] [ssl:info] [pid xxxxx:tid xxxxx]
[client xxxxx:xxxxx] AH01964: Connection to child 68 established (server
localhost:443)
[Tue Jul 31 15:30:43.885795 2018] [ssl:trace2] [pid xxxxx:tid xxxxx]
ssl_engine_rand.c(126): Seeding PRNG with 656 bytes of entropy
[Tue Jul 31 15:30:43.885983 2018] [ssl:trace3] [pid xxxxx:tid xxxxx]
ssl_engine_kernel.c(1989): [client xxxxx:xxxxx] OpenSSL: Handshake: start
[Tue Jul 31 15:30:43.886064 2018] [ssl:trace3] [pid xxxxx:tid xxxxx]
ssl_engine_kernel.c(1998): [client xxxxx:xxxxx] OpenSSL: Loop:
before/accept initialization
[Tue Jul 31 15:30:43.886114 2018] [ssl:trace4] [pid xxxxx:tid xxxxx]
ssl_engine_io.c(2135): [client xxxxx:xxxxx] OpenSSL: read 5/5 bytes from
BIO#7fcef0001580 [mem: 7fcef0006dc3] (BIO dump follows)
[Tue Jul 31 15:30:43.886134 2018] [ssl:trace4] [pid xxxxx:tid xxxxx]
ssl_engine_io.c(2135): [client xxxxx:xxxxx] OpenSSL: read 191/191 bytes
from BIO#7fcef0001580 [mem: 7fcef0006dc8] (BIO dump follows)
[Tue Jul 31 15:30:43.886183 2018] [ssl:debug] [pid xxxxx:tid xxxxx]
ssl_engine_kernel.c(2122): [client xxxxx:xxxxx] AH02044: No matching SSL
virtual host for servername xxxxx found (using default/first virtual host)
[Tue Jul 31 15:30:43.886258 2018] [ssl:trace3] [pid xxxxx:tid xxxxx]
ssl_engine_kernel.c(1998): [client xxxxx:xxxxx] OpenSSL: Loop: unknown state
[Tue Jul 31 15:30:43.886294 2018] [ssl:trace3] [pid xxxxx:tid xxxxx]
ssl_engine_kernel.c(1998): [client xxxxx:xxxxx] OpenSSL: Loop: unknown state
[Tue Jul 31 15:30:43.886419 2018] [ssl:trace3] [pid xxxxx:tid xxxxx]
ssl_engine_kernel.c(1998): [client xxxxx:xxxxx] OpenSSL: Loop: unknown state
[Tue Jul 31 15:30:43.908313 2018] [ssl:trace3] [pid xxxxx:tid xxxxx]
ssl_engine_kernel.c(1998): [client xxxxx:xxxxx] OpenSSL: Loop: unknown state
[Tue Jul 31 15:30:43.908537 2018] [ssl:trace3] [pid xxxxx:tid xxxxx]
ssl_engine_kernel.c(1998): [client xxxxx:xxxxx] OpenSSL: Loop: unknown state
[Tue Jul 31 15:30:43.908769 2018] [ssl:trace4] [pid xxxxx:tid xxxxx]
ssl_engine_io.c(2135): [client xxxxx:xxxxx] OpenSSL: write 2173/2173
bytes to BIO#7fcef0001500 [mem: 7fcef0014030] (BIO dump follows)
[Tue Jul 31 15:30:43.909055 2018] [core:trace6] [pid xxxxx:tid xxxxx]
core_filters.c(525): [client xxxxx:xxxxx] core_output_filter: flushing
because of FLUSH bucket
[Tue Jul 31 15:30:43.909342 2018] [ssl:trace3] [pid xxxxx:tid xxxxx]
ssl_engine_kernel.c(1998): [client xxxxx:xxxxx] OpenSSL: Loop: unknown state
[Tue Jul 31 15:30:43.918838 2018] [ssl:trace4] [pid xxxxx:tid xxxxx]
ssl_engine_io.c(2144): [client xxxxx:xxxxx] OpenSSL: I/O error, 5 bytes
expected to read on BIO#7fcef0001580 [mem: 7fcef00150e3]
[Tue Jul 31 15:30:43.919121 2018] [ssl:trace3] [pid xxxxx:tid xxxxx]
ssl_engine_kernel.c(2027): [client xxxxx:xxxxx] OpenSSL: Exit: error in
unknown state
[Tue Jul 31 15:30:43.919427 2018] [ssl:debug] [pid xxxxx:tid xxxxx]
ssl_engine_io.c(1308): (70014)End of file found: [client xxxxx:xxxxx]
AH02007: SSL handshake interrupted by system [Hint: Stop button pressed
in browser?!]
[Tue Jul 31 15:30:43.919615 2018] [ssl:info] [pid xxxxx:tid xxxxx]
[client xxxxx:xxxxx] AH01998: Connection closed to child 68 with
abortive shutdown (server localhost:443)
...

***** Server-side Apache configuration (latest Debian stretch):

<VirtualHost>
     .....

     SSLEngine On
     SSLCertificateFile /etc/apache2/ssl/apache.pem

     SSLVerifyClient require
     SSLVerifyDepth 1
     SSLCACertificateFile /xxxxx/xxxxx.pem
</VirtualHost>

<Location /svn>
     SetOutputFilter DEFLATE
     SetInputFilter DEFLATE
     Header append Vary User-Agent env=!dont-vary
</Location>

<Location /svn/xxxxx>
     DAV svn
     SVNPath /xxxxx
     SVNAutoversioning On
     SVNPathAuthz On
     AuthType Basic
     AuthName "xxxxx"
     AuthUserFile /xxxxx/xxxxx
     AuthzSVNAccessFile /xxxxx/xxxxx
     Require valid-user

     .....
</Location>

*****
Received on 2018-07-31 15:56:21 CEST

This is an archived mail posted to the Subversion Dev mailing list.