You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Sean McBride <se...@rogue-research.com> on 2014/10/24 16:49:46 UTC

svn always fails with E120171, but only from some clients

Hi there,

On some computers only, 'svn info' is always giving:

svn: E120171: Error running context: An error occurred during SSL communication

when connecting to our own svn server.  This worked previously, but stopped working (I think) after our self-signed certificate expired and was therefore replaced.  First we replaced it with another self-signed cert, then we replaced it with a purchased wildcard cert.

- I reproduce this with svn 1.8.10 (Wandisco binaries on OS X) on the client.
- Server runs 1.7.18 (Wandisco binaries on OS X).
- I have deleted ~/.subversion on the client, no help.
- I created an entire new user account on the client machine, no help.
- visiting https://my.server.com/path/to/repository in a browser (tried several) prompts for authentication, succeeds, and shows the expected files.
- I ran "openssl s_client -showcerts -connect <my.server.com>:443" and it reports at the end:
  "Verify return code: 0 (ok)"

I'm now feeling pretty stuck. :(  Any suggestions on what this problem is, or how I can diagnose it further?

PS: First post to this list, please be gentle. :)

Thanks,

-- 
____________________________________________________________
Sean McBride, B. Eng                 sean@rogue-research.com
Rogue Research                        www.rogue-research.com 
Mac Software Developer              Montréal, Québec, Canada

Re: svn always fails with E120171, but only from some clients

Posted by Philip Martin <ph...@wandisco.com>.

"Sean McBride" <se...@rogue-research.com> writes:

> On Fri, 24 Oct 2014 16:24:58 +0100, Philip Martin said:
>
>>Is apache using SSLVerifyClient to require the client to provide a
>>certificate?
>
> I'm not too familiar with apache, but I'm going to say "no", which I
> conclude from this:
>
> $ cd /Library/Server/Web/
> $ grep -R -i SSLVerifyClient *
>
> which finds nothing.
>
> Is that a setting I should want set to something in particular?

No.  It would be used if you wanted to force clients to provide a cert.

>>The 1.8 client defaults to not prompting for a client cert
>>if no cert is configured and that will cause the error you report.  See:
>>
>>http://subversion.apache.org/docs/release-notes/1.8.html#client-cert-
>>prompt-suppression
>
> I edited ~/.subversion/config and uncommented
> "ssl-client-cert-file-prompt" and set it to "yes".  Still got E120171.

Debugging SSL errors can be very hard.  Is there anything in the server
error log?

> I see you are @wandisco.  Do your svn binaries have a built-in
> statically linked version of OpenSSL or do they use the OS's version?

I don't know. I suspect they use the system library and it will show up
using 

ldd /usr/bin/svn

or whatever the OSX equivalent is, otool perhaps.

-- 
Philip Martin | Subversion Committer
WANdisco // *Non-Stop Data*

Re: svn always fails with E120171, but only from some clients

Posted by Sean McBride <se...@rogue-research.com>.

On Fri, 24 Oct 2014 16:24:58 +0100, Philip Martin said:

>Is apache using SSLVerifyClient to require the client to provide a
>certificate?

I'm not too familiar with apache, but I'm going to say "no", which I conclude from this:

$ cd /Library/Server/Web/
$ grep -R -i SSLVerifyClient *

which finds nothing.

Is that a setting I should want set to something in particular?

>The 1.8 client defaults to not prompting for a client cert
>if no cert is configured and that will cause the error you report.  See:
>
>http://subversion.apache.org/docs/release-notes/1.8.html#client-cert-
>prompt-suppression

I edited ~/.subversion/config and uncommented "ssl-client-cert-file-prompt" and set it to "yes".  Still got E120171.

I see you are @wandisco.  Do your svn binaries have a built-in statically linked version of OpenSSL or do they use the OS's version?

Cheers,

-- 
____________________________________________________________
Sean McBride, B. Eng                 sean@rogue-research.com
Rogue Research                        www.rogue-research.com 
Mac Software Developer              Montréal, Québec, Canada

Re: svn always fails with E120171, but only from some clients

Posted by Philip Martin <ph...@wandisco.com>.

"Sean McBride" <se...@rogue-research.com> writes:

> On some computers only, 'svn info' is always giving:
>
> svn: E120171: Error running context: An error occurred during SSL communication
>
> when connecting to our own svn server.  This worked previously, but
> stopped working (I think) after our self-signed certificate expired
> and was therefore replaced.  First we replaced it with another
> self-signed cert, then we replaced it with a purchased wildcard cert.
>
> - I reproduce this with svn 1.8.10 (Wandisco binaries on OS X) on the client.
> - Server runs 1.7.18 (Wandisco binaries on OS X).
> - I have deleted ~/.subversion on the client, no help.
> - I created an entire new user account on the client machine, no help.
> - visiting https://my.server.com/path/to/repository in a browser (tried several) prompts for authentication, succeeds, and shows the expected files.
> - I ran "openssl s_client -showcerts -connect <my.server.com>:443" and it reports at the end:
>   "Verify return code: 0 (ok)"
>
> I'm now feeling pretty stuck. :( Any suggestions on what this problem
> is, or how I can diagnose it further?

Is apache using SSLVerifyClient to require the client to provide a
certificate?  The 1.8 client defaults to not prompting for a client cert
if no cert is configured and that will cause the error you report.  See:

http://subversion.apache.org/docs/release-notes/1.8.html#client-cert-prompt-suppression

-- 
Philip Martin | Subversion Committer
WANdisco // *Non-Stop Data*

Re: svn always fails with E120171, but only from some clients

Posted by Lieven Govaerts <lg...@mobsol.be>.

On Fri, Oct 24, 2014 at 4:49 PM, Sean McBride <se...@rogue-research.com> wrote:
> Hi there,
>
> On some computers only, 'svn info' is always giving:
>
> svn: E120171: Error running context: An error occurred during SSL communication
>
> when connecting to our own svn server.  This worked previously, but stopped working (I think) after our self-signed certificate expired and was therefore replaced.  First we replaced it with another self-signed cert, then we replaced it with a purchased wildcard cert.
>
> - I reproduce this with svn 1.8.10 (Wandisco binaries on OS X) on the client.

I've seen such SSL failures on Mac's before. It was caused by not
having an up to date OpenSSL library installed. Not all distributions
of svn do that apparently (e.g. Homebrew).

Older OpenSSL versions don't always support recent X509 certificates,
a (well known) example is the use of SHA-256 as signature hash
algorithm, where older OpenSSL versions support SHA-1, but not
SHA-256.

> - Server runs 1.7.18 (Wandisco binaries on OS X).
> - I have deleted ~/.subversion on the client, no help.
> - I created an entire new user account on the client machine, no help.
> - visiting https://my.server.com/path/to/repository in a browser (tried several) prompts for authentication, succeeds, and shows the expected files.
> - I ran "openssl s_client -showcerts -connect <my.server.com>:443" and it reports at the end:
>   "Verify return code: 0 (ok)"
>
> I'm now feeling pretty stuck. :(  Any suggestions on what this problem is, or how I can diagnose it further?
>

Personally I've always stuck with using svn from Mac Ports; which
automatically installs the latest OpenSSL.

Lieven

> PS: First post to this list, please be gentle. :)
>
> Thanks,
>
> --
> ____________________________________________________________
> Sean McBride, B. Eng                 sean@rogue-research.com
> Rogue Research                        www.rogue-research.com
> Mac Software Developer              Montréal, Québec, Canada
>
>