You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Ed Zaron <ez...@coas.oregonstate.edu> on 2006/03/15 22:30:28 UTC
Re: SSL error: decryption failed or bad record mac
Hello Everybody,
I am having the same problem described in a couple of archived posts
from last year. I wonder if there is any more information or a
solution? The error message is in the subject line.
Unfortunately, this error occurs most commonly with large commits. I
have also seen it with the 'svn copy' command. Sometimes, I can change
the text of the commit message or delete a few spaces from a file, and
the commit will work. I tried using a pipe from ls -1 to xargs to do
commit a large project one file at a time, and it worked fine but it
was very slow.
I had never encountered this problem before, but I recently made some
upgrades using Darwinports:
(I am running Apple OS X 10.3.9; gcc 3.3 20030304)
apache2 2.0.55 to 2.2.0
apr 0.9.7 to 1.2.2
apr-util 0.9.7 to 1.2.2
expat 1.95.8 to 2.0.0
(libssh is 0.1)
mod_python 3.1.3 to 3.1.4
neon 0.24.7 to 0.25.5
(openssl is 0.9.8a)
subversion 1.2.3 to 1.3.0 +mod_dav_svn
Also, I recently updated my self-signed certificate. I have a dynamic
IP address, which is usually unchanged, but whenever an extended power
outage occurred in my building, I would get a new IP address and have
to switch all of my working copies to point to the new repo address.
This caused problems with some windows svn clients, which blocked
connections to my https site because my actual IP address and hostname
did not match what was in my secure certificates.
Any suggestions would be much appreciated.
Regards,
Ed
..............................................
Edward D. Zaron
Research Associate
College of Oceanic and Atmospheric Sciences
Oregon State University
Corvallis, OR 97331-5503
Phone: (503) 341-0659
Fax: (541) 737-2064
ezaron@coas.oregonstate.edu
...............................................
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: SSL error: decryption failed or bad record mac : RESOLVED
Posted by Jonathan Williams <jo...@nyu.edu>.
Hi Ed,
I'm just replying to you on list to mention that I did try the
openssl 0.9.7 Portfile. My machine is an x86 Mac and it didn't build
with 0.9.7 as the 0.9.8 Portfile has many of the changes for moving
to intel. I didn't have any luck manually merging these. So what I've
done is use a fake DarwinPorts receipt to make everything use the /
usr openssl library. (There have been some... side issues getting php
and apache to work, but hacking portfiles usually does the trick.)
Hope this helps someone.
--
Jonathan C. Williams
Web Programmer
Steinhardt School of Education
jonathan.williams@nyu.edu :: 212-998-5308
On Mar 21, 2006, at 11:12 AM, Ed Zaron wrote:
> This subversion/ssl bug was a real pain in the ass!
>
> I have attached a tar file of the Portfile and patch directory.
>
> Remember that you will need to deactivate, clean, and rebuild all
> the dependencies.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: SSL error: decryption failed or bad record mac : RESOLVED
Posted by Ed Zaron <ez...@coas.oregonstate.edu>.
Hi All,
I found a reference to a problem with the same error message in the
archives of an openssl listserv, and one of the openssl developers
suggested reverting to openssl 0.9.7 from 0.9.8a.
Well, this seems to be a fix, for now.
I had an old version of the openssl port in an obsolete darwinports tree
on my machine and reinstalled openssl and dependencies up through
subversion.
If you are having this SSL error, it is pretty confounding, because it
only occurs for large commits/copies. If you are using darwinports for the
install, I can send you the portfile for openssl 0.9.7e, which seems to
work.
To conclude, this combination seems to be stable:
zlib 1.2.3
libiconv 1.10
expat 2.0.0
openssl 0.9.7e
apache 2.2
neon 0.25.5
python 2.4.2
mod_python 3.1.4
apr 1.2.2
apr-util 1.2.2
subversion 1.3.0
-Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Edward D. Zaron
Research Associate
College of Oceanography and Atmospheric Science
Oregon State University
104 COAS Admin Bldg
Corvallis, OR 97331-5503
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Wed, 15 Mar 2006, Jonathan Williams wrote:
> Hi Ed!
>
> On Mar 15, 2006, at 5:30 PM, Ed Zaron wrote:
>>
>> I am having the same problem described in a couple of archived posts from
>> last year. I wonder if there is any more information or a solution? The
>> error message is in the subject line.
>>
>> I had never encountered this problem before, but I recently made some
>> upgrades using Darwinports:
>> (I am running Apple OS X 10.3.9; gcc 3.3 20030304)
>
>
> Just wanted to chime in and mention that I am having the exact same problem
> on Mac OS X 10.4.5 (intel) with all my packages built from Darwinports as
> well.
>
> I recently had an issue with Darwinports Apache having issues with loading
> both DP and Apple Kerberos libraries (detailed in this thread:
> http://mailman.mit.edu/pipermail/kerberos/2006-March/009406.html). I wonder
> if the issue is similar.
>
>> Also, I recently updated my self-signed certificate. I have a dynamic IP
>> address, which is usually unchanged, but whenever an extended power outage
>> occurred in my building, I would get a new IP address and have to switch
>> all of my working copies to point to the new repo address. This caused
>> problems with some windows svn clients, which blocked connections to my
>> https site because my actual IP address and hostname did not match what was
>> in my secure certificates.
>
> I wouldn't worry about this causing the problem.
>
> What I would suggest is that someone with a know good apache+ssl server
> contact Ed and/or myself to arrange to try our clients out on a large svn
> import to it. The process should be also done for our Apache SSL servers with
> a known good client. We need to figure out where the problem is originating.
>
> Any takers?
>
> --
> Jonathan C. Williams
> Web Programmer
> Steinhardt School of Education
> jonathan.williams@nyu.edu :: 212-998-5308
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: SSL error: decryption failed or bad record mac : more clues
Posted by Ed Zaron <ez...@coas.oregonstate.edu>.
Hi Jonathan,
I looked at the the kerberos thread you mentioned below. I have had some
problems with dynamic libraries for some Darwinports builds, e.g.,
openssh, and I wonder if this could be related. (Although, it is weird
that this error is related to the size of the import. It seems like a
dylib problem would break the executable completely.)
Anyway, I uninstalled and cleaned out the whole chain of dependencies
back to zlib and libiconv (subversion, apache2, apr, apr-util, neon,
expat, mod_python, libssl, openssl, zlib, libiconv), and then rebuilt
subversion. Before that, I had tried reverting to older versions to no
avail. (Yes, I restarted the httpd -D SSL deamons between each
reversion/build). I still get exactly the same error.
But ... now Darwinports can build openssh without a conflict between
symbols from dylibs in /opt/local and /usr/local. Unfortunately, I don't
know if the openssh portfile had changed between my previous,
unsuccessful, attempts to build openssh and today's attempt.
I will post more details tomorrow, when I get back to a computer that
alllows me to cut and paste from a terminal window and the email
program. I'll also start cross-posting to the darwinports list.
This is so strange, because I have been using subversion for over a year
without seeing this problem, even with large projects/working copies.
-Ed
Jonathan Williams wrote:
> Hi Ed!
>
> On Mar 15, 2006, at 5:30 PM, Ed Zaron wrote:
>
>>
>> I am having the same problem described in a couple of archived posts
>> from last year. I wonder if there is any more information or a
>> solution? The error message is in the subject line.
>>
>> I had never encountered this problem before, but I recently made
>> some upgrades using Darwinports:
>> (I am running Apple OS X 10.3.9; gcc 3.3 20030304)
>
>
>
> Just wanted to chime in and mention that I am having the exact same
> problem on Mac OS X 10.4.5 (intel) with all my packages built from
> Darwinports as well.
>
> I recently had an issue with Darwinports Apache having issues with
> loading both DP and Apple Kerberos libraries (detailed in this
> thread: http://mailman.mit.edu/pipermail/kerberos/2006-March/
> 009406.html). I wonder if the issue is similar.
>
>> Also, I recently updated my self-signed certificate. I have a
>> dynamic IP address, which is usually unchanged, but whenever an
>> extended power outage occurred in my building, I would get a new IP
>> address and have to switch all of my working copies to point to the
>> new repo address. This caused problems with some windows svn
>> clients, which blocked connections to my https site because my
>> actual IP address and hostname did not match what was in my secure
>> certificates.
>
>
> I wouldn't worry about this causing the problem.
>
> What I would suggest is that someone with a know good apache+ssl
> server contact Ed and/or myself to arrange to try our clients out on
> a large svn import to it. The process should be also done for our
> Apache SSL servers with a known good client. We need to figure out
> where the problem is originating.
>
> Any takers?
>
> --
> Jonathan C. Williams
> Web Programmer
> Steinhardt School of Education
> jonathan.williams@nyu.edu :: 212-998-5308
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: SSL error: decryption failed or bad record mac
Posted by Jonathan Williams <jo...@nyu.edu>.
Hi Ed!
On Mar 15, 2006, at 5:30 PM, Ed Zaron wrote:
>
> I am having the same problem described in a couple of archived
> posts from last year. I wonder if there is any more information or
> a solution? The error message is in the subject line.
>
> I had never encountered this problem before, but I recently made
> some upgrades using Darwinports:
> (I am running Apple OS X 10.3.9; gcc 3.3 20030304)
Just wanted to chime in and mention that I am having the exact same
problem on Mac OS X 10.4.5 (intel) with all my packages built from
Darwinports as well.
I recently had an issue with Darwinports Apache having issues with
loading both DP and Apple Kerberos libraries (detailed in this
thread: http://mailman.mit.edu/pipermail/kerberos/2006-March/
009406.html). I wonder if the issue is similar.
> Also, I recently updated my self-signed certificate. I have a
> dynamic IP address, which is usually unchanged, but whenever an
> extended power outage occurred in my building, I would get a new IP
> address and have to switch all of my working copies to point to the
> new repo address. This caused problems with some windows svn
> clients, which blocked connections to my https site because my
> actual IP address and hostname did not match what was in my secure
> certificates.
I wouldn't worry about this causing the problem.
What I would suggest is that someone with a know good apache+ssl
server contact Ed and/or myself to arrange to try our clients out on
a large svn import to it. The process should be also done for our
Apache SSL servers with a known good client. We need to figure out
where the problem is originating.
Any takers?
--
Jonathan C. Williams
Web Programmer
Steinhardt School of Education
jonathan.williams@nyu.edu :: 212-998-5308
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: SSL error: decryption failed or bad record mac
Posted by Ryan Schmidt <su...@ryandesign.com>.
On Mar 15, 2006, at 23:30, Ed Zaron wrote:
> I have a dynamic IP address, which is usually unchanged, but
> whenever an extended power outage occurred in my building, I would
> get a new IP address and have to switch all of my working copies to
> point to the new repo address.
It would seem to be much simpler for you to get a dynamic DNS
hostname of some kind which you could update to point to your current
IP, so that you wouldn't have to keep changing all your working copies.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org