Better error message when certificate verification on HTTPS fails?

[Thorsten Schöning <ts...@am-soft.de>]

Hi all,

one of our customers ran into problems when updating a software
installation using TortoiseSVN in the most current version 1.9.3,
Build 27038. The message was something around the following, I sadly
don't have the exact wording anymore, but the error code etc. is
correct:

> svn error code E720006 error running context the handle is invalid

Error code 6 is ERROR_INVALID_HANDLE of Windows, so the msg should be
correct. The error occurred with Tortoise itself and its provided svn
shell client.

The requested svn repo is hosted on a server accessible via HTTPS and
the used certificate specifies "http://gv.symcd.com" as an OCSP
target. The customers firewall blocked access to this domain,
resulting in ERROR_INVALID_HANDLE in svn somewhere and after the
access was granted the problem went away and the download succeeded
without any problems.

The interesting part is that there was no local working copy, we made
a complete fresh checkout, the server needs authentication and
Tortoise started to download some data already, created some empty
folders it couldn't know about without access to the repo and such.
Therefore there must have been at least some communication already
until the error occurred and that's why I wrongly ruled out the
firewall early.

So, do you see any chance to improve this generic error message and
mention something around certificate verification or that resolving
some domain failed or such? This would have made finding the error a
lot easier.

Thanks!

Mit freundlichen Grüßen,

Thorsten Schöning

-- 
Thorsten Schöning       E-Mail: Thorsten.Schoening@AM-SoFT.de
AM-SoFT IT-Systeme      http://www.AM-SoFT.de/

Telefon...........05151-  9468- 55
Fax...............05151-  9468- 88
Mobil..............0178-8 9468- 04

AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow

Re: Better error message when certificate verification on HTTPS fails?

[Branko Čibej <br...@apache.org>]

On 07.03.2016 15:20, Thorsten Schöning wrote:
> Hi all,
>
> one of our customers ran into problems when updating a software
> installation using TortoiseSVN in the most current version 1.9.3,
> Build 27038. The message was something around the following, I sadly
> don't have the exact wording anymore, but the error code etc. is
> correct:
>
>> svn error code E720006 error running context the handle is invalid
> Error code 6 is ERROR_INVALID_HANDLE of Windows, so the msg should be
> correct. The error occurred with Tortoise itself and its provided svn
> shell client.
>
> The requested svn repo is hosted on a server accessible via HTTPS and
> the used certificate specifies "http://gv.symcd.com" as an OCSP
> target. The customers firewall blocked access to this domain,
> resulting in ERROR_INVALID_HANDLE in svn somewhere and after the
> access was granted the problem went away and the download succeeded
> without any problems.
>
> The interesting part is that there was no local working copy, we made
> a complete fresh checkout, the server needs authentication and
> Tortoise started to download some data already, created some empty
> folders it couldn't know about without access to the repo and such.
> Therefore there must have been at least some communication already
> until the error occurred and that's why I wrongly ruled out the
> firewall early.
>
> So, do you see any chance to improve this generic error message and
> mention something around certificate verification or that resolving
> some domain failed or such? This would have made finding the error a
> lot easier.

The error probably comes from Serf when the connection to the OCSP
server is refused; apparently the OCSP verification request is performed
asynchronously (and no, I'm not entirely sure that's correct; I'd have
to read the spec).

Anyway, Serf doesn't have detailed error codes for various certificate
validation failures; until and unless it gets them, I'm not sure how
Subversion could detect this case.

-- Brane