You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Paolo Cavallini <ca...@faunalia.it> on 2013/03/03 11:31:33 UTC
Possible bug: Bad record MAC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all.
I'm consistently getting this error when svn up or ci:
Could not read status line: SSL alert received: Bad record MAC
Unsure whether it's an svn problem, or a network one. I've checked with my server
hosting, and thay say it's software, but I cannot find a reference to it.
Any hint on how to debug this would be appreciated.
All the best.
- --
Paolo Cavallini - Faunalia
www.faunalia.eu
Full contact details at www.faunalia.eu/pc
Nuovi corsi QGIS e PostGIS: http://www.faunalia.it/calendario
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlEzJoUACgkQ/NedwLUzIr4XvACgoNtJ4KiRMfPujOhLAePlYhsr
4eQAnRSOPyiK/WZkY/cMntNpKN5AkPu1
=s9ZH
-----END PGP SIGNATURE-----
Re: Possible bug: Bad record MAC
Posted by Paolo Cavallini <ca...@faunalia.it>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Il 05/03/2013 23:12, Philip Martin ha scritto:
>> Il 05/03/2013 14:09, Philip Martin ha scritto:
>>
>>> You don't say which client/OS you are using or which http
>>> library the Subversion client is using.
>>
>> subversion 1.6.17dfsg-4 openssl 1.0.1e-1 on debian testing, up to
>> date. I tried downgrading openssl, the error remains the same.
>
> Debian's Subversion uses GnuTLS rather than OpenSSL.
Oh, I see; I'm using libgnutls26 2.12.20-4
No other versions available for wheezy. There is also:
gnutls26 (2.12.23-1) experimental; urgency=low
but frankly I'd prefer to avoid it on a production server.
Any hint appreciated.
Thanks.
- --
Paolo Cavallini - Faunalia
www.faunalia.eu
Full contact details at www.faunalia.eu/pc
Nuovi corsi QGIS e PostGIS: http://www.faunalia.it/calendario
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlE257cACgkQ/NedwLUzIr4MmwCeILJATG4akh+4Pidp0kSo2F/i
+WMAn3QAbjI8gO7lccENEpTTBGWgKo76
=GHha
-----END PGP SIGNATURE-----
Re: Possible bug: Bad record MAC
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Philip Martin wrote on Tue, Mar 05, 2013 at 22:12:17 +0000:
> Paolo Cavallini <ca...@faunalia.it> writes:
> > Network has bben checked cables and switch have been changed, firewall
> > and proxy have not changed.
> > So it could be a communication problem between openssl and subversion.
> >
> > Any hint on how to debug will be greatly appreciated.
>
> Debugging SSL is hard. I don't really know what to suggest. Perhaps
> build a debug version of GnuTLS and use gdb to stop at the point the
> error is raised and examine the decoded data that is causing the
> problem.
Couldn't you get a wireshark/tcpdump trace and then use the server's SSL
private key to decrypt it?
I think it's possible, but I don't know offhand of tools that do it.
Re: Possible bug: Bad record MAC
Posted by Philip Martin <ph...@wandisco.com>.
Paolo Cavallini <ca...@faunalia.it> writes:
> Hi Philip,
> thanks for your reply.
>
> Il 05/03/2013 14:09, Philip Martin ha scritto:
>
>> You don't say which client/OS you are using or which http library
>> the Subversion client is using.
>
> subversion 1.6.17dfsg-4
> openssl 1.0.1e-1
> on debian testing, up to date.
> I tried downgrading openssl, the error remains the same.
Debian's Subversion uses GnuTLS rather than OpenSSL. I suppose you
could build an older/newer GnuTLS and try that. Or you could rebuild
Subversion and neon to use OpenSSL and see if that fixes the problem.
Or you could rebuild Subversion to use serf and use that instead of
neon. Or perhaps the 3rd party Subversion binaries use OpenSSL and/or
have serf support.
> Network has bben checked cables and switch have been changed, firewall
> and proxy have not changed.
> So it could be a communication problem between openssl and subversion.
>
> Any hint on how to debug will be greatly appreciated.
Debugging SSL is hard. I don't really know what to suggest. Perhaps
build a debug version of GnuTLS and use gdb to stop at the point the
error is raised and examine the decoded data that is causing the
problem.
--
Certified & Supported Apache Subversion Downloads:
http://www.wandisco.com/subversion/download
Re: Possible bug: Bad record MAC
Posted by Paolo Cavallini <ca...@faunalia.it>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Philip,
thanks for your reply.
Il 05/03/2013 14:09, Philip Martin ha scritto:
> You don't say which client/OS you are using or which http library
> the Subversion client is using.
subversion 1.6.17dfsg-4
openssl 1.0.1e-1
on debian testing, up to date.
I tried downgrading openssl, the error remains the same.
> Does it happens every time you contact the server or does it happen
> once an update/checkout has started?
It happens when committing, after transmission, but only on specific
files.
> This is a low level error from the SSL/HTTP libraries used by
> Subversion. It's a standard SSL error that indicates that
> consistency checks on the SSL data in the SSL library have failed.
> The root cause could be network hardware, a firewall, a proxy, an
> incompatibility between the SSL implementation on the client and
> server, etc. Here is one example:
> https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1134873
Network has bben checked cables and switch have been changed, firewall
and proxy have not changed.
So it could be a communication problem between openssl and subversion.
Any hint on how to debug will be greatly appreciated.
All the best.
- --
Paolo Cavallini - Faunalia
www.faunalia.eu
Full contact details at www.faunalia.eu/pc
Nuovi corsi QGIS e PostGIS: http://www.faunalia.it/calendario
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAlE2W4oACgkQ/NedwLUzIr53XQCff+x08YbKufIiSG7LQT0cWaHW
/FcAmgNxnxzTh0P4uK0vsUQmUKsRxMJl
=iZjO
-----END PGP SIGNATURE-----
Re: Possible bug: Bad record MAC
Posted by Philip Martin <ph...@wandisco.com>.
Paolo Cavallini <ca...@faunalia.it> writes:
> I'm consistently getting this error when svn up or ci:
>
> Could not read status line: SSL alert received: Bad record MAC
>
> Unsure whether it's an svn problem, or a network one. I've checked
> with my server hosting, and thay say it's software, but I cannot find
> a reference to it. Any hint on how to debug this would be
> appreciated.
You don't say which client/OS you are using or which http library the
Subversion client is using. Does it happens every time you contact the
server or does it happen once an update/checkout has started?
This is a low level error from the SSL/HTTP libraries used by
Subversion. It's a standard SSL error that indicates that consistency
checks on the SSL data in the SSL library have failed. The root cause
could be network hardware, a firewall, a proxy, an incompatibility
between the SSL implementation on the client and server, etc.
Here is one example:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1134873
--
Certified & Supported Apache Subversion Downloads:
http://www.wandisco.com/subversion/download