You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Greg Troxel <gd...@ir.bbn.com> on 2009/08/11 18:35:51 UTC

Re: parse tlsext bug

[moved to users@ because this doesn't feel like an svn bug]

  I think I've found a bug in Subversion. I'm not quite sure whether this is
  actually a bug in Subversion or in Apache HTTPd but since the error
  "manifests" itself in Subversion I'll try it here first.

  The error reads like this:

  SSL negotiation failed: SSL error: parse tlsext

I am getting this too, tending to get it on larger operations and only
on some hosts.

My setup is

  server:  netbsd/amd64 5.0.  apache 2.2.12, svn 1.6.4, authz

  client: netbsd/i386 5.0 svn 1.6.4

with

  client: linux/i386 2.6.28 svn 1.6.1

I don't have the problem.

With 2.2.11 plus security patches (specifically, pkgsrc www/apache22
version 2.2.11nb6), the large diff that failed now works.


I already have SSLSessionCache disabled.

Has anyone tried 2.2.13?  The release notes don't indicate a fix for this.

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2382623

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

RE: AW: parse tlsext bug

Posted by Slim Farza <sf...@gmail.com>.

Is there any update on this issue?

Thank you.

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2406279

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

AW: parse tlsext bug

Posted by Sebastian Krysmanski <se...@krysmanski.de>.

Since I'm the only one interested in this issue (at least it seems that way) and nobody else seems to care (neither here nor in the IRC channel) I'm "closing" this issue by removing myself from this mailing list. Hopefully a lot of other people will encounter this problem in the future so that it'll be noticed by the developers. But until then it seems as if I've no choice but stick with Apache 2.2.11.

Sebastian

-----Ursprüngliche Nachricht-----
Von: Sebastian Krysmanski [mailto:sebastian@krysmanski.de] 
Gesendet: Mittwoch, 2. September 2009 07:14
An: users@subversion.tigris.org
Betreff: AW: parse tlsext bug

Hmm, I think it's the other way around. I think the error only occurs when
OpenSSL is compiled with tlsext enabled and doesn't occur when tlsext is
disabled as on my system tlsext is enabled. However, I can't disable tlsext
on my OpenSSL installation as it's shipped with my Distro (Ubuntu 9.04) and
required by basic applications. (I fear I could break the system when I try
to replace the OpenSSL installation.) Moreover I think (but I'm not sure)
that this only affect the svn client but not the svn server (i.e. Apache's
mod_ssl).

I've also tried the configuration directive you provided but it didn't work.
The problem still remains.

Sebastian

-----Ursprüngliche Nachricht-----
Von: George Stein [mailto:svn.4.george_stein@spamgourmet.com] 
Gesendet: Dienstag, 1. September 2009 14:10
An: users@subversion.tigris.org
Betreff: RE: parse tlsext bug

Sebastian,

I had a similar problem in Win32. 

It might be caused when OpenSSL was built without enabling TLS extensions
[1,2].

As a workaround I set in httpd.conf [3,4]:
SSLProtocol -ALL +SSLv2 +SSLv3

George

[1] http://code.google.com/p/support/issues/detail?id=1395
[2] http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
[3] http://www.svnforum.org/2017/viewtopic.php?t=8466
[4] http://www.modssl.org/docs/2.8/ssl_reference.html#ToC8

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=23
89739

To unsubscribe from this discussion, e-mail:
[users-unsubscribe@subversion.tigris.org].

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2390046

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2393204

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

AW: parse tlsext bug

Posted by Sebastian Krysmanski <se...@krysmanski.de>.

Hmm, I think it's the other way around. I think the error only occurs when
OpenSSL is compiled with tlsext enabled and doesn't occur when tlsext is
disabled as on my system tlsext is enabled. However, I can't disable tlsext
on my OpenSSL installation as it's shipped with my Distro (Ubuntu 9.04) and
required by basic applications. (I fear I could break the system when I try
to replace the OpenSSL installation.) Moreover I think (but I'm not sure)
that this only affect the svn client but not the svn server (i.e. Apache's
mod_ssl).

I've also tried the configuration directive you provided but it didn't work.
The problem still remains.

Sebastian

-----Ursprüngliche Nachricht-----
Von: George Stein [mailto:svn.4.george_stein@spamgourmet.com] 
Gesendet: Dienstag, 1. September 2009 14:10
An: users@subversion.tigris.org
Betreff: RE: parse tlsext bug

Sebastian,

I had a similar problem in Win32. 

It might be caused when OpenSSL was built without enabling TLS extensions
[1,2].

As a workaround I set in httpd.conf [3,4]:
SSLProtocol -ALL +SSLv2 +SSLv3

George

[1] http://code.google.com/p/support/issues/detail?id=1395
[2] http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
[3] http://www.svnforum.org/2017/viewtopic.php?t=8466
[4] http://www.modssl.org/docs/2.8/ssl_reference.html#ToC8

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=23
89739

To unsubscribe from this discussion, e-mail:
[users-unsubscribe@subversion.tigris.org].

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2390046

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

RE: parse tlsext bug

Posted by George Stein <sv...@spamgourmet.com>.

Sebastian,

I had a similar problem in Win32. 

It might be caused when OpenSSL was built without enabling TLS extensions [1,2].

As a workaround I set in httpd.conf [3,4]:
SSLProtocol -ALL +SSLv2 +SSLv3

George

[1] http://code.google.com/p/support/issues/detail?id=1395
[2] http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
[3] http://www.svnforum.org/2017/viewtopic.php?t=8466
[4] http://www.modssl.org/docs/2.8/ssl_reference.html#ToC8

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2389739

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].

AW: parse tlsext bug

Posted by Sebastian Krysmanski <se...@krysmanski.de>.

I've just tried it using apache 2.2.13 with svn.1.6.4. No luck here. The
problem still exists. It would be nice if a Subversion developer would look
into that problem (even though it doesn't seem to be a Subversion problem;
but in this case we would at least know where to start looking for the
problem).

Regards
Sebastian

-----Ursprüngliche Nachricht-----
Von: Greg Troxel [mailto:gdt@ir.bbn.com] 
Gesendet: Dienstag, 11. August 2009 20:36
An: Sebastian Krysmanski
Cc: users@subversion.tigris.org
Betreff: Re: parse tlsext bug


[moved to users@ because this doesn't feel like an svn bug]

  I think I've found a bug in Subversion. I'm not quite sure whether this is
  actually a bug in Subversion or in Apache HTTPd but since the error
  "manifests" itself in Subversion I'll try it here first.

  The error reads like this:

  SSL negotiation failed: SSL error: parse tlsext

I am getting this too, tending to get it on larger operations and only
on some hosts.

My setup is

  server:  netbsd/amd64 5.0.  apache 2.2.12, svn 1.6.4, authz

  client: netbsd/i386 5.0 svn 1.6.4

with

  client: linux/i386 2.6.28 svn 1.6.1

I don't have the problem.

With 2.2.11 plus security patches (specifically, pkgsrc www/apache22
version 2.2.11nb6), the large diff that failed now works.


I already have SSLSessionCache disabled.

Has anyone tried 2.2.13?  The release notes don't indicate a fix for this.

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2385134

To unsubscribe from this discussion, e-mail: [users-unsubscribe@subversion.tigris.org].