[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn update via HTTPS works 95% of the time, then randomly shanks, "issuer not trusted"

From: Geoff Hoffman <ghoffman_at_cardinalpath.com>
Date: Tue, 26 Jul 2011 13:25:29 -0700

On Tue, Jul 26, 2011 at 1:20 PM, Dan Yost <yodano_at_gmail.com> wrote:

> On Tue, Jul 26, 2011 at 3:11 PM, Geoff Hoffman
> <ghoffman_at_cardinalpath.com> wrote:
> > Long shot here... this is probably off base, as I am not that experienced
> > with lower-level SSL problems, but are you by chance using an issuer that
> > provides an intermediary certificate?
> > For example, to install an SSL cert from GoDaddy, you have to also
> include
> > the gd_bundle.crt. The Wikipedia article below makes me wonder if there
> is
> > just some network hiccups sometimes, trying to validate your certificate
> > chain authority.
> >>
> >> From http://en.wikipedia.org/wiki/Intermediate_certificate_authorities
> >> If the certificate was not issued by a trusted CA, the connecting device
> >> (e.g., a web browser) will then check to see if the issuing CA of the
> >> certificate was issued by a trusted CA, and so on until either a trusted
> CA
> >> is found (at which point a trusted, secure connection will be
> established)
> >> or no trusted CA can be found (at which point the device will usually
> >> display an error).
> >
> >
>
>
> Yes, and indeed this is a GoDaddy cert, with the bundle installed to
> keep the chain intact, so thus it does work that 95% of the time. I
> was thinking that the chain is all presented from the server to client
> in one fell swoop, with no need to go fetch anything else "out there"
> (not that you're suggesting that is what it needs to do--go outside to
> fetch something). But indeed, I suppose it could complicate the
> handshake in such a way as to cause this intermittent failure--would
> really like to be able to "watch" that happen via some kind of verbose
> log.
>
> Dan
>

If this *might* be the problem, I'm guessing that browsers do a better job
of "trying again a few times" than the svn client might. If you can simulate
what your workflow is doing in Firefox with the LiveHeaders plugin, you can
distill it down to a list of FQDNs that are required, then tracert them,
ping them, etc., to see if you have any dropped packets. Also IPs are a
straighter path than DNS names. It may not be easy for you to change
everything around, but if you switched it all to IP-based you could rule out
DNS being a problem.
Received on 2011-07-26 22:26:03 CEST

This is an archived mail posted to the Subversion Users mailing list.