You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Krzysztof Smiechowicz <de...@wp.pl> on 2016/07/27 16:56:46 UTC
Authentication problem with clients > 1.7.22
Hi All,
We are having problems accessing our svn server via https with client newer than 1.7.22 - 1.8.16 and 1.9.3 to be
specific. The problem is that the newer clients come up with authentication request during svn checkout which after
entering correct password fails. The authentication comes at random moments during checkout. The difference we could
spot so far was that 1.7.22 was using ra_neon and newer clients are using ra_serf for HTTPS.
A AROS/AROS/arch/all-pc/boot/grub2-aros/configure
A AROS/AROS/arch/all-pc/boot/grub2-aros/conf/Makefile.common
A AROS/AROS/arch/all-pc/boot/grub2-aros/Makefile.in
A AROS/AROS/arch/all-pc/boot/grub2-aros/conf/Makefile.extra-dist
A AROS/AROS/arch/all-pc/boot/grub2-aros/conf/i386-cygwin-img-ld.sc
A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/boot_menu_nw.png
A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/boot_menu_e.png
A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/terminal_box_sw.png
A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/theme.txt
A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/slider_n.png
Authentication realm: <https://svn.aros.org:443> AROS TRAC+SVN
Password for 'guest':
A AROS/AROS/arch/all-pc/boot/grub2-aros/Makefile.in
A AROS/AROS/arch/all-pc/boot/grub2-aros/conf/Makefile.extra-dist
A AROS/AROS/arch/all-pc/boot/grub2-aros/conf/i386-cygwin-img-ld.sc
A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/boot_menu_nw.png
A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/boot_menu_e.png
A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/terminal_box_sw.png
A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/theme.txt
A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/slider_n.png
Authentication realm: <https://svn.aros.org:443> AROS TRAC+SVN
Password for 'guest': *****
svn: E120190: Error retrieving REPORT: An error occurred during authentication
The server is running subversion 1.8.10 on Debian 8.
Any help is appreciated
Best regards,
Krzysztof
Re: Authentication problem with clients > 1.7.22
Posted by Krzysztof Smiechowicz <de...@wp.pl>.
W dniu 28.07.2016 o 18:24, Pavel Lyalyakin pisze:
> Hello,
>
> On Wed, Jul 27, 2016 at 7:56 PM, Krzysztof Smiechowicz <de...@wp.pl> wrote:
>>
>> Hi All,
>>
>> We are having problems accessing our svn server via https with client newer than 1.7.22 - 1.8.16 and 1.9.3 to be specific. The problem is that the newer clients come up with authentication request during svn checkout which after entering correct password fails. The authentication comes at random moments during checkout. The difference we could spot so far was that 1.7.22 was using ra_neon and newer clients are using ra_serf for HTTPS.
>
> Is there any service such as active firewall or proxy between the
> clients and the server? Which operating system are these clients on?
> Windows? Is there any antivirus on the client side?
>
This was reproduced on svn client running on Windows, Linux Mint 17 32bit and Linux Mint 18 64bit. No proxies being used
on client side.
> I'm asking these questions just because I vaguely recall a similar
> problem when an authentication prompt occurs in the middle of `svn
> checkout`. The root cause was an antivirus or active firewall / proxy.
> I regret that I don't remember all the details, but in your case I'd
> advise to check an antivirus, firewall or proxy.
Do you remember if this was a firewall on client or server side?
Best regards,
Krzysztof
Re: Authentication problem with clients > 1.7.22
Posted by Pavel Lyalyakin <pa...@visualsvn.com>.
Hello,
On Wed, Jul 27, 2016 at 7:56 PM, Krzysztof Smiechowicz <de...@wp.pl> wrote:
>
> Hi All,
>
> We are having problems accessing our svn server via https with client newer than 1.7.22 - 1.8.16 and 1.9.3 to be specific. The problem is that the newer clients come up with authentication request during svn checkout which after entering correct password fails. The authentication comes at random moments during checkout. The difference we could spot so far was that 1.7.22 was using ra_neon and newer clients are using ra_serf for HTTPS.
Is there any service such as active firewall or proxy between the
clients and the server? Which operating system are these clients on?
Windows? Is there any antivirus on the client side?
I'm asking these questions just because I vaguely recall a similar
problem when an authentication prompt occurs in the middle of `svn
checkout`. The root cause was an antivirus or active firewall / proxy.
I regret that I don't remember all the details, but in your case I'd
advise to check an antivirus, firewall or proxy.
--
With best regards,
Pavel Lyalyakin
VisualSVN Team
Re: Authentication problem with clients > 1.7.22
Posted by Krzysztof Smiechowicz <de...@wp.pl>.
W dniu 28.07.2016 o 19:51, Stefan Sperling pisze:
> Let's work some more on making sure keep-alives are configured correctly:
>
> Please ensure the KeepAlive directive is set to 'On'.
> http://httpd.apache.org/docs/2.4/mod/core.html#keepalive
> KeepAlive On
>
> And that the KeepAliveTimeout is set to at least 300 seconds:
> http://httpd.apache.org/docs/2.4/mod/core.html#keepalivetimeout
> KeepAliveTimeout 300
>
> Does this help?
Unfortunately no.
> If it does not, please share more details about your server-side
> authentication configuration in httpd.conf and related files.
Below please find the server configuration file as well as a snippet from server log which shows that some URLs are
returned as 401 instead of 200.
91.177.53.186 - verhaegs [28/Jul/2016:20:23:32 +0200] "GET
/svn/aros/!svn/rvr/47210/trunk/AROS/workbench/locale/flags/countries/Afghanistan HTTP/1.1" 200 983 "-" "SVN/1.9.4
(x86_64-redhat-linux-gnu) serf/1.3.8"
91.177.53.186 - verhaegs [28/Jul/2016:20:23:32 +0200] "GET
/svn/aros/!svn/rvr/47210/trunk/AROS/workbench/locale/flags/countries/Georgia HTTP/1.1" 200 815 "-" "SVN/1.9.4
(x86_64-redhat-linux-gnu) serf/1.3.8"
91.177.53.186 - verhaegs [28/Jul/2016:20:23:32 +0200] "GET
/svn/aros/!svn/rvr/47214/trunk/AROS/workbench/locale/flags/countries/Switzerland HTTP/1.1" 200 787 "-" "SVN/1.9.4
(x86_64-redhat-linux-gnu) serf/1.3.8"
91.177.53.186 - verhaegs [28/Jul/2016:20:23:32 +0200] "GET
/svn/aros/!svn/rvr/47210/trunk/AROS/workbench/locale/flags/countries/Burundi HTTP/1.1" 200 971 "-" "SVN/1.9.4
(x86_64-redhat-linux-gnu) serf/1.3.8"
91.177.53.186 - verhaegs [28/Jul/2016:20:23:32 +0200] "GET
/svn/aros/!svn/rvr/47210/trunk/AROS/workbench/locale/flags/countries/Northern_Ireland HTTP/1.1" 200 934 "-" "SVN/1.9.4
(x86_64-redhat-linux-gnu) serf/1.3.8"
91.177.53.186 - verhaegs [28/Jul/2016:20:23:33 +0200] "GET
/svn/aros/!svn/rvr/47219/trunk/AROS/workbench/locale/flags/countries/Denmark HTTP/1.1" 200 787 "-" "SVN/1.9.4
(x86_64-redhat-linux-gnu) serf/1.3.8"
91.177.53.186 - verhaegs [28/Jul/2016:20:23:33 +0200] "GET
/svn/aros/!svn/rvr/47210/trunk/AROS/workbench/locale/flags/countries/Kazakhstan HTTP/1.1" 200 966 "-" "SVN/1.9.4
(x86_64-redhat-linux-gnu) serf/1.3.8"
91.177.53.186 - verhaegs [28/Jul/2016:20:23:33 +0200] "GET
/svn/aros/!svn/rvr/47210/trunk/AROS/workbench/locale/flags/countries/Taiwan HTTP/1.1" 401 831 "-" "SVN/1.9.4
(x86_64-redhat-linux-gnu) serf/1.3.8"
91.177.53.186 - verhaegs [28/Jul/2016:20:23:33 +0200] "GET
/svn/aros/!svn/rvr/47210/trunk/AROS/workbench/locale/flags/countries/North_Korea HTTP/1.1" 401 831 "-" "SVN/1.9.4
(x86_64-redhat-linux-gnu) serf/1.3.8"
91.177.53.186 - verhaegs [28/Jul/2016:20:23:33 +0200] "GET
/svn/aros/!svn/rvr/47210/trunk/AROS/workbench/locale/flags/countries/Burkina_Faso HTTP/1.1" 401 831 "-" "SVN/1.9.4
(x86_64-redhat-linux-gnu) serf/1.3.8"
<Directory __HOME__/www/trac>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<VirtualHost *:80>
ServerName trac.aros.org:80
RewriteEngine on
Redirect / https://trac.aros.org/
</VirtualHost>
<VirtualHost *:443>
ServerName trac.aros.org:443
DocumentRoot "__HOME__/www/trac/empty"
SSLCertificateFile __HOME__/www/trac.aros.org.cert
SSLCertificateKeyFile __HOME__/www/trac.aros.org.key
SSLEngine on
ErrorLog __HOME__/www/logs/error.log
CustomLog __HOME__/www/logs/access.log combined
RedirectMatch /$ /trac
<Directory "__HOME__/www/trac/cgi-bin">
Options ExecCGI
</Directory>
Alias /trac/chrome/common __HOME__/www/trac/htdocs/common
Alias /trac/chrome/site __HOME__/www/trac/htdocs/site
ScriptAlias /trac __HOME__/www/trac/cgi-bin/trac.cgi
<Location "/trac">
SetEnv TRAC_ENV "__HOME__/www/trac"
</Location>
</VirtualHost>
<VirtualHost *:443>
ServerName svn.aros.org:443
DocumentRoot "__HOME__/www/trac/empty"
SSLCertificateFile __HOME__/www/svn.aros.org.cert
SSLCertificateKeyFile __HOME__/www/trac.aros.org.key
SSLEngine on
ErrorLog __HOME__/www/logs/error.log
CustomLog __HOME__/www/logs/access.log combined
<Location /svn/aros>
DAV svn
SVNPath __HOME__/www/svn/aros
AuthzSVNAccessFile __HOME__/www/admin/svnauthz
AuthName "AROS TRAC+SVN"
AuthType Digest
AuthUserFile __HOME__/www/admin/htdigest
Require valid-user
</Location>
</VirtualHost>
Re: Authentication problem with clients > 1.7.22
Posted by Stefan Sperling <st...@elego.de>.
On Thu, Jul 28, 2016 at 05:34:36PM +0200, Krzysztof Smiechowicz wrote:
> W dniu 28.07.2016 o 10:01, Stefan Sperling pisze:
> > My guess is that you need to increase the MaxKeepAliveRequests setting
> > in httpd.conf on the SVN server.
> >
> > Once the MaxKeepAliveRequests limit is reached the server closes the
> > connection so the client opens a new one and authenticates again.
> >
> > Serf-based clients send a lot more requests than Neon-based clients.
> > It seems the Neon-based clients do not trigger the limit in your
> > situations, while Serf-based clients do.
> >
>
> Hello,
>
> Thank you for reply. We set this setting to 0 (unlimited),
That's OK for testing. In production you should set this to 10000.
See the yellow box at:
http://subversion.apache.org/docs/release-notes/1.8.html#neon-deleted
> but the problem persists. Should this be entered into Subversion bugtracker?
If, eventually, we come to agree that there is a bug, then filing an issue
is a good idea, of course. But I still believe this can be explained by a
server-side configuration problem, so I don't think filing a bug is
necessary at this stage.
Let's work some more on making sure keep-alives are configured correctly:
Please ensure the KeepAlive directive is set to 'On'.
http://httpd.apache.org/docs/2.4/mod/core.html#keepalive
KeepAlive On
And that the KeepAliveTimeout is set to at least 300 seconds:
http://httpd.apache.org/docs/2.4/mod/core.html#keepalivetimeout
KeepAliveTimeout 300
Does this help?
If it does not, please share more details about your server-side
authentication configuration in httpd.conf and related files.
Thanks,
Stefan
Re: Authentication problem with clients > 1.7.22
Posted by Krzysztof Smiechowicz <de...@wp.pl>.
W dniu 28.07.2016 o 10:01, Stefan Sperling pisze:
> On Wed, Jul 27, 2016 at 06:56:46PM +0200, Krzysztof Smiechowicz wrote:
>> Hi All,
>>
>> We are having problems accessing our svn server via https with client newer
>> than 1.7.22 - 1.8.16 and 1.9.3 to be specific. The problem is that the newer
>> clients come up with authentication request during svn checkout which after
>> entering correct password fails. The authentication comes at random moments
>> during checkout. The difference we could spot so far was that 1.7.22 was
>> using ra_neon and newer clients are using ra_serf for HTTPS.
>
> My guess is that you need to increase the MaxKeepAliveRequests setting
> in httpd.conf on the SVN server.
>
> Once the MaxKeepAliveRequests limit is reached the server closes the
> connection so the client opens a new one and authenticates again.
>
> Serf-based clients send a lot more requests than Neon-based clients.
> It seems the Neon-based clients do not trigger the limit in your
> situations, while Serf-based clients do.
>
Hello,
Thank you for reply. We set this setting to 0 (unlimited), but the problem persists. Should this be entered into
Subversion bugtracker?
Best regards,
Krzysztof
Re: Authentication problem with clients > 1.7.22
Posted by Krzysztof Smiechowicz <de...@wp.pl>.
W dniu 01.08.2016 o 10:19, Lieven Govaerts pisze:
>
>
> Op donderdag 28 juli 2016 heeft Stefan Sperling <stsp@elego.de <ma...@elego.de>> het volgende geschreven:
>
> On Wed, Jul 27, 2016 at 06:56:46PM +0200, Krzysztof Smiechowicz wrote:
> > Hi All,
> >
> > We are having problems accessing our svn server via https with client newer
> > than 1.7.22 - 1.8.16 and 1.9.3 to be specific. The problem is that the newer
> > clients come up with authentication request during svn checkout which after
> > entering correct password fails. The authentication comes at random moments
> > during checkout. The difference we could spot so far was that 1.7.22 was
> > using ra_neon and newer clients are using ra_serf for HTTPS.
>
> My guess is that you need to increase the MaxKeepAliveRequests setting
> in httpd.conf on the SVN server.
>
> Once the MaxKeepAliveRequests limit is reached the server closes the
> connection so the client opens a new one and authenticates again.
>
> Serf-based clients send a lot more requests than Neon-based clients.
> It seems the Neon-based clients do not trigger the limit in your
> situations, while Serf-based clients do.
>
>
> Ra_serf first opens one connection during checkout, and then opens more connections to get the data when needed. My
> guess is that the authn request comes when opening those 2nd, 3rd connections, not when the server initiates a
> connection close.
>
> The fact that serf sends more requests and therefore uses multiple connections should not make svn ask for credentials
> multiple times, they are cached in memory for Basic and Digest authentication. So there seems to be something wrong.
>
> As a workaround, it's possible to make svn use one single connection for checkout, update and merge by
> setting SVNAllowBulkUpdates to Prefer in the apache configuration file.
> See:
> https://subversion.apache.org/docs/release-notes/1.8.html#neon-deleted
> http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.perf.bulk-updates
>
Thank you for the workaround. This solves the problem for us!
Best regards,
Krzysztof
Re: Authentication problem with clients > 1.7.22
Posted by Lieven Govaerts <lg...@mobsol.be>.
Op donderdag 28 juli 2016 heeft Stefan Sperling <st...@elego.de> het
volgende geschreven:
> On Wed, Jul 27, 2016 at 06:56:46PM +0200, Krzysztof Smiechowicz wrote:
> > Hi All,
> >
> > We are having problems accessing our svn server via https with client
> newer
> > than 1.7.22 - 1.8.16 and 1.9.3 to be specific. The problem is that the
> newer
> > clients come up with authentication request during svn checkout which
> after
> > entering correct password fails. The authentication comes at random
> moments
> > during checkout. The difference we could spot so far was that 1.7.22 was
> > using ra_neon and newer clients are using ra_serf for HTTPS.
>
> My guess is that you need to increase the MaxKeepAliveRequests setting
> in httpd.conf on the SVN server.
>
> Once the MaxKeepAliveRequests limit is reached the server closes the
> connection so the client opens a new one and authenticates again.
>
> Serf-based clients send a lot more requests than Neon-based clients.
> It seems the Neon-based clients do not trigger the limit in your
> situations, while Serf-based clients do.
>
>
Ra_serf first opens one connection during checkout, and then opens more
connections to get the data when needed. My guess is that the authn request
comes when opening those 2nd, 3rd connections, not when the server
initiates a connection close.
The fact that serf sends more requests and therefore uses multiple
connections should not make svn ask for credentials multiple times, they
are cached in memory for Basic and Digest authentication. So there seems to
be something wrong.
As a workaround, it's possible to make svn use one single connection for
checkout, update and merge by setting SVNAllowBulkUpdates to Prefer in the
apache configuration file.
See:
https://subversion.apache.org/docs/release-notes/1.8.html#neon-deleted
http://svnbook.red-bean.com/nightly/en/svn.serverconfig.httpd.html#svn.serverconfig.httpd.perf.bulk-updates
Hth,
Lieven
> A AROS/AROS/arch/all-pc/boot/grub2-aros/configure
> > A AROS/AROS/arch/all-pc/boot/grub2-aros/conf/Makefile.common
> > A AROS/AROS/arch/all-pc/boot/grub2-aros/Makefile.in
> > A AROS/AROS/arch/all-pc/boot/grub2-aros/conf/Makefile.extra-dist
> > A AROS/AROS/arch/all-pc/boot/grub2-aros/conf/i386-cygwin-img-ld.sc
> > A
> AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/boot_menu_nw.png
> > A
> AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/boot_menu_e.png
> > A
> AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/terminal_box_sw.png
> > A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/theme.txt
> > A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/slider_n.png
> > Authentication realm: <https://svn.aros.org:443> AROS TRAC+SVN
> > Password for 'guest':
> >
> > A AROS/AROS/arch/all-pc/boot/grub2-aros/Makefile.in
> > A AROS/AROS/arch/all-pc/boot/grub2-aros/conf/Makefile.extra-dist
> > A AROS/AROS/arch/all-pc/boot/grub2-aros/conf/i386-cygwin-img-ld.sc
> > A
> AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/boot_menu_nw.png
> > A
> AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/boot_menu_e.png
> > A
> AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/terminal_box_sw.png
> > A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/theme.txt
> > A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/slider_n.png
> > Authentication realm: <https://svn.aros.org:443> AROS TRAC+SVN
> > Password for 'guest': *****
> >
> > svn: E120190: Error retrieving REPORT: An error occurred during
> authentication
> >
> > The server is running subversion 1.8.10 on Debian 8.
> >
> > Any help is appreciated
> >
> > Best regards,
> > Krzysztof
>
Re: Authentication problem with clients > 1.7.22
Posted by Stefan Sperling <st...@elego.de>.
On Wed, Jul 27, 2016 at 06:56:46PM +0200, Krzysztof Smiechowicz wrote:
> Hi All,
>
> We are having problems accessing our svn server via https with client newer
> than 1.7.22 - 1.8.16 and 1.9.3 to be specific. The problem is that the newer
> clients come up with authentication request during svn checkout which after
> entering correct password fails. The authentication comes at random moments
> during checkout. The difference we could spot so far was that 1.7.22 was
> using ra_neon and newer clients are using ra_serf for HTTPS.
My guess is that you need to increase the MaxKeepAliveRequests setting
in httpd.conf on the SVN server.
Once the MaxKeepAliveRequests limit is reached the server closes the
connection so the client opens a new one and authenticates again.
Serf-based clients send a lot more requests than Neon-based clients.
It seems the Neon-based clients do not trigger the limit in your
situations, while Serf-based clients do.
> A AROS/AROS/arch/all-pc/boot/grub2-aros/configure
> A AROS/AROS/arch/all-pc/boot/grub2-aros/conf/Makefile.common
> A AROS/AROS/arch/all-pc/boot/grub2-aros/Makefile.in
> A AROS/AROS/arch/all-pc/boot/grub2-aros/conf/Makefile.extra-dist
> A AROS/AROS/arch/all-pc/boot/grub2-aros/conf/i386-cygwin-img-ld.sc
> A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/boot_menu_nw.png
> A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/boot_menu_e.png
> A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/terminal_box_sw.png
> A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/theme.txt
> A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/slider_n.png
> Authentication realm: <https://svn.aros.org:443> AROS TRAC+SVN
> Password for 'guest':
>
> A AROS/AROS/arch/all-pc/boot/grub2-aros/Makefile.in
> A AROS/AROS/arch/all-pc/boot/grub2-aros/conf/Makefile.extra-dist
> A AROS/AROS/arch/all-pc/boot/grub2-aros/conf/i386-cygwin-img-ld.sc
> A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/boot_menu_nw.png
> A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/boot_menu_e.png
> A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/terminal_box_sw.png
> A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/theme.txt
> A AROS/AROS/arch/all-pc/boot/grub2-aros/themes/starfield/slider_n.png
> Authentication realm: <https://svn.aros.org:443> AROS TRAC+SVN
> Password for 'guest': *****
>
> svn: E120190: Error retrieving REPORT: An error occurred during authentication
>
> The server is running subversion 1.8.10 on Debian 8.
>
> Any help is appreciated
>
> Best regards,
> Krzysztof