subversion: svn MKCOL ssl error

Automatically imported from Debian bug report #336373 http://bugs.debian.org/336373

Message-Id: <email address hidden>
Date: Sat, 29 Oct 2005 22:22:04 +0200
From: Thomas Petazzoni <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: subversion: svn MKCOL ssl error

Package: subversion
Version: 1.2.3dfsg1-2
Severity: grave
Justification: renders package unusable

Hi,

While trying to import files inside a Subversion repository accessed
through https, I get the following error, fully reproducible (everytime
on the same directory):

svn: MKCOL of
'/svn/thomas/!svn/wrk/b82d4a0a-4a04-0410-8ac2-c33f329d32ff/uclibc-sos/trunk/test/string':
Could not read status line: SSL error: decryption failed or bad record
mac (https://ssl.bulix.org)

Maybe it's a problem around libneon24 (linked against openssl0.9.7) and
the fact that subversion is linked against openssl 0.9.8.

Sincerly,

Thomas

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-rc4
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)

Versions of packages subversion depends on:
ii db4.2-util 4.2.52-20 Berkeley v4.2 Database Utilities
ii libapr0 2.0.55-3 the Apache Portable Runtime
ii libc6 2.3.5-7 GNU C Library: Shared libraries an
ii libdb4.2 4.2.52-20 Berkeley v4.2 Database Libraries [
ii libexpat1 1.95.8-3 XML parsing C library - runtime li
ii libldap2 2.1.30-12 OpenLDAP libraries
ii libneon24 0.24.7.dfsg-2 An HTTP and WebDAV client library
ii libssl0.9.8 0.9.8a-2 SSL shared libraries
ii libsvn0 1.2.3dfsg1-2 shared libraries used by Subversio
ii libxml2 2.6.22-1 GNOME XML library
ii patch 2.5.9-2 Apply a diff file to an original
ii zlib1g 1:1.2.3-6 compression library - runtime

subversion recommends no packages.

-- no debconf information

Message-ID: <email address hidden>
Date: Sun, 6 Nov 2005 13:26:48 -0600
From: Peter Samuelson <email address hidden>
To: Thomas Petazzoni <email address hidden>, <email address hidden>
Subject: Re: Bug#336373: subversion: svn MKCOL ssl error

--fzb4MfPSWK/5QThu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

First, apologies for the delayed response - I didn't get the BTS mail
until the other day, possibly because of the known mail backlog
affecting certain Debian services.

> svn: MKCOL of
> '/svn/thomas/!svn/wrk/b82d4a0a-4a04-0410-8ac2-c33f329d32ff/uclibc-sos/trunk/test/string':
> Could not read status line: SSL error: decryption failed or bad record
> mac (https://ssl.bulix.org)

I don't have an https server handy, so I can't test this right away -
I'll try and get to it in the next couple of days. But grepping the
subversion source, I don't see that error string anywhere, which makes
me think it is indeed something internal to libneon.

I'll check the libneon source as soon as I get a bit of time, and
reassign this bug if necessary.

> Maybe it's a problem around libneon24 (linked against openssl0.9.7)
> and the fact that subversion is linked against openssl 0.9.8.

Yes, quite possibly. I wonder if bazaar exhibits a similar bug, since
it's in the same situation. No such bug has been reported ... but
maybe nobody uses baz with https. (:

Thanks for the report,
Peter

--fzb4MfPSWK/5QThu
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDblj4Xk7sIRPQRh0RAsUSAJ45L/6WWet1SuwVwLwqlRFZ6sdULgCfXxd8
6bUg/T5lC1xHiaZrU9iF924=
=gSU1
-----END PGP SIGNATURE-----

--fzb4MfPSWK/5QThu--

Message-ID: <email address hidden>
Date: Sun, 6 Nov 2005 13:47:01 -0600
From: Peter Samuelson <email address hidden>
To: Thomas Petazzoni <email address hidden>, <email address hidden>
Subject: Re: Bug#336373: subversion: svn MKCOL ssl error

--KQ2iXOoQ638mtNze
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

[Thomas Petazzoni]
> Maybe it's a problem around libneon24 (linked against openssl0.9.7)
> and the fact that subversion is linked against openssl 0.9.8.

Since you have a ready test case for this, can you try the neon package
at http://www.barcikacomp.hu/deb/libneon25_0.25.4.dfsg-1_i386.deb, as
mentioned in Bug #335574?

Thanks,
Peter

--KQ2iXOoQ638mtNze
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDbl21Xk7sIRPQRh0RAo+yAJ4ghDRjfHDVdt9PF1bthz8vNQK6RQCgkGlG
+iQmFVTxO+ixDa4fgIi1LAI=
=CfR2
-----END PGP SIGNATURE-----

--KQ2iXOoQ638mtNze--

Message-ID: <email address hidden>
Date: Tue, 8 Nov 2005 20:53:50 +0100
From: Thomas Petazzoni <email address hidden>
To: Peter Samuelson <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#336373: subversion: svn MKCOL ssl error

--Sig_5CaInUxWCPRrlxoyE6GeVbU
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

Hi,

On Sun, 6 Nov 2005 13:47:01 -0600
Peter Samuelson <email address hidden> wrote:

> Since you have a ready test case for this, can you try the neon
> package at
> http://www.barcikacomp.hu/deb/libneon25_0.25.4.dfsg-1_i386.deb, as
> mentioned in Bug #335574?

With a Debian sid updated yesterday and your package, it still doesn't
work:

svn: PUT of
'/svn/thomas/!svn/wrk/6e5a851d-1305-0410-a907-edefcced848f/sos-uclibc/trunk=
/test/setjmp/setjmp_test.c':
SSL negotiation failed: SSL error: decryption failed or bad record mac
(https://ssl.bulix.org)

Sincerly,

Thomas
--=20
PETAZZONI Thomas - <email address hidden>=20
http://{thomas,sos,kos}.enix.org - Jabber: <email address hidden>
http://{agenda,livret}dulibre.org
Fingerprint : 0BE1 4CF3 CEA4 AC9D CC6E 1624 F653 CB30 98D3 F7A7

--Sig_5CaInUxWCPRrlxoyE6GeVbU
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDcQJT9lPLMJjT96cRAt/RAJ9M1g4uMS6q1IdcUX0qVLBVix9zfwCgkMxl
I8huYwCgzgneawhJkoh/iXw=
=0oAB
-----END PGP SIGNATURE-----

--Sig_5CaInUxWCPRrlxoyE6GeVbU--

Message-ID: <email address hidden>
Date: Tue, 8 Nov 2005 15:13:02 -0600
From: Peter Samuelson <email address hidden>
To: Thomas Petazzoni <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#336373: subversion: svn MKCOL ssl error

--jYUWvSWTDpDT74zJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

[Thomas Petazzoni]
> > Since you have a ready test case for this, can you try the neon
> > package at
> > http://www.barcikacomp.hu/deb/libneon25_0.25.4.dfsg-1_i386.deb, as
> > mentioned in Bug #335574?
>=20
> With a Debian sid updated yesterday and your package, it still doesn't
> work:

Oh, doh! /usr/bin/svn will not use libneon25, so that accomplished
nothing.

I'll build a new set of packages that use libneon25 instead, and place
them in http://p12n.org/tmp/svn-336373/ for you to download. The files
should be there within about 2 hours. Can you test this again with
those packages?

Thanks,
Peter

--jYUWvSWTDpDT74zJ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDcRTeXk7sIRPQRh0RApSSAKCjxiSFir1RQ6bYbSPRP+08PlH7RgCeNoID
AbA6r+tdiYjZBLwrNc63opY=
=GPR1
-----END PGP SIGNATURE-----

--jYUWvSWTDpDT74zJ--

Message-ID: <email address hidden>
Date: Tue, 8 Nov 2005 17:44:11 -0600
From: Peter Samuelson <email address hidden>
To: Thomas Petazzoni <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#336373: subversion: svn MKCOL ssl error

--b/1LfoxmgmdMg2Yp
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

[Peter Samuelson]
> Oh, doh! /usr/bin/svn will not use libneon25, so that accomplished
> nothing.
>=20
> I'll build a new set of packages that use libneon25 instead

Well, now I see why Debian ships both neon24 and neon25. subversion
won't yet compile against neon25, and I don't have the time or
inclination right now to hack it so it does.

Laszlo, could you provide a libneon24{,-dev} compiled against ssl0.9.8,
please?

Thanks,
Peter

--b/1LfoxmgmdMg2Yp
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDcThLXk7sIRPQRh0RAtdsAJ4rRhkurcHYfJaIQG2SbV07bPVgvgCeJ7Sz
Po/Tbdd7Y3/4CvQQz2W3MUA=
=qCK4
-----END PGP SIGNATURE-----

--b/1LfoxmgmdMg2Yp--

Message-ID: <email address hidden>
Date: Wed, 9 Nov 2005 06:00:01 -0600
From: Peter Samuelson <email address hidden>
To: Thomas Petazzoni <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#336373: subversion: svn MKCOL ssl error

--PFhoI1KhOsYPpkJR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

[Peter Samuelson]
> Oh, doh! /usr/bin/svn will not use libneon25, so that accomplished
> nothing.

I came up with several ways around this - the latest is to use
libneon24 but *not* link libssl0.9.8. There was never any reason for
us to link to openssl at all; this was a packaging bug.

Can you please retest with my packages at
http://p12n.org/tmp/svn-336373/ ?

Thanks!
Peter

--PFhoI1KhOsYPpkJR
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDceTBXk7sIRPQRh0RAkBuAJ4kCrbqIPhmT10FkBoP6MU4NpnDIACffV2T
appgRbJc15lMz6hx8XlotaI=
=hp+R
-----END PGP SIGNATURE-----

--PFhoI1KhOsYPpkJR--

Message-ID: <email address hidden>
Date: Wed, 9 Nov 2005 15:21:35 +0100 (CET)
From: Sven-Haegar Koch <email address hidden>
To: Peter Samuelson <email address hidden>
cc: <email address hidden>
Subject: Re: Bug#336373: subversion: svn MKCOL ssl error

Peter Samuelson wrote:
> I came up with several ways around this - the latest is to use
> libneon24 but *not* link libssl0.9.8. There was never any reason for
> us to link to openssl at all; this was a packaging bug.
>
> Can you please retest with my packages at
> http://p12n.org/tmp/svn-336373/ ?

Having had the same problem, your test-packages recompiled locally (just
decreased the version number, I want the official one to upgrade the test
one when its released) fixes it for me.

Thanks a lot.

c'ya
sven

--

The Internet treats censorship as a routing problem, and routes around it.
(John Gilmore on http://www.cygnus.com/~gnu/)

Message-Id: <email address hidden>
Date: Wed, 09 Nov 2005 18:02:28 +0000
From: <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: subversion Debian ci: r422 - trunk/debian

tags 336373 pending
thanks

Author: peters-guest
Date: 2005-11-09 18:02:27 +0000 (Wed, 09 Nov 2005)
New Revision: 422

Modified:
   trunk/debian/changelog
   trunk/debian/control
Log:
Someone confirmed that #336373 is now fixed.

Also, prune some {build-,}depends now that we're no longer linking to
the whole world.

Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog 2005-11-09 12:03:45 UTC (rev 421)
+++ trunk/debian/changelog 2005-11-09 18:02:27 UTC (rev 422)
@@ -13,9 +13,11 @@
   * debian/control: build-depends on libapr0-dev (>= 2.0.55-3).
     Earlier versions of libapr0 will try to make us link to libdb4.2.
   * subversion.NEWS, README.db4.3: document db4.2 -> db4.3 upgrade.
- * patches/no_extra_libs.patch: new patch to prevent linking to a lot
- of bogus libraries. (Might fix #336373 (confirmation needed), by
- virtue of not linking to libssl0.9.8.)
+ * patches/no_extra_libs.patch: new patch to prevent linking to several
+ unneeded libraries. (Closes: #336373, which was caused by linking to
+ libssl0.9.8.)
+ - debian/control: Remove several depends and build-depends we are no
+ longer using because of this

   [ Adam Conrad ]
   * Switch to using DB4.3 instead of DB4.2, as libapr0 has (closes: #335455)

Modified: trunk/debian/control
===================================================================
--- trunk/debian/control 2005-11-09 12:03:45 UTC (rev 421)
+++ trunk/debian/control 2005-11-09 18:02:27 UTC (rev 422)
@@ -3,7 +3,7 @@
 Priority: optional
 Maintainer: Guilherme de S. Pastore <email address hidden>
 Uploaders: Al Stone <email address hidden>, David Kimdon <email address hidden>, Troy Heber <email address hidden>, Peter Samuelson <email address hidden>
-Build-Depends: debhelper, libneon24-dev, apache2-threaded-dev, libapr0-dev (>= 2.0.55-3), libdb4.3-dev, libtool, libexpat1-dev, zlib1g-dev, bison, patch, python, time, python2.3-dev, autotools-dev, autoconf, swig, libsasl2-dev, perl, cdbs, libperl-dev, libkrb5-dev, kaffe-dev [!arm !armeb !mips !mipsel], kaffe-pthreads [!arm !armeb !mips !mipsel]
+Build-Depends: debhelper, libneon24-dev, apache2-threaded-dev, libapr0-dev (>= 2.0.55-3), libdb4.3-dev, libtool, bison, patch, python, time, python2.3-dev, autotools-dev, autoconf, swig, perl, cdbs, libperl-dev, kaffe-dev [!arm !armeb !mips !mipsel], kaffe-pthreads [!arm !armeb !mips !mipsel]
 Build-Conflicts: libsvn0 (<< 1.2)
 Standards-Version: 3.6.2.1

@@ -47,7 +47,7 @@
 Section: libdevel
 Priority: extra
 Architecture: any
-Depends: libsvn0 (= ${Source-Version}), libapr0-dev, libdb4.3-dev, libexpat1-dev, libneon24-dev, libxml2-dev, zlib1g-dev
+Depends: libsvn0 (= ${Source-Version}), libapr0-dev, libdb4.3-dev, libneon24-dev
 Description: development files for Subversion (aka. svn) libraries
  Subversion is a version control system much like the Concurrent
  Versions System (CVS). Version ...

Message-ID: <email address hidden>
Date: Wed, 9 Nov 2005 16:52:26 -0600
From: Peter Samuelson <email address hidden>
To: Sven-Haegar Koch <email address hidden>,
 Thomas Petazzoni <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#336373: subversion: svn MKCOL ssl error

--4cokgWgqjr3t8EL1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

[Sven-Haegar Koch]
> Having had the same problem, your test-packages recompiled locally
> (just decreased the version number, I want the official one to
> upgrade the test one when its released) fixes it for me.

Great! We'll close the bug on the next upload, then, unless Thomas
reports that this actually isn't fixed.

> Thanks a lot.

Thank you for the testing!

Peter

--4cokgWgqjr3t8EL1
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDcn2qXk7sIRPQRh0RAqnXAJ49DWepgmZR9U08yJEmJ1dgqhKQgACfUN0y
mzaMWTU3wCuk6j7yZJNCL1k=
=nAhn
-----END PGP SIGNATURE-----

--4cokgWgqjr3t8EL1--

Message-ID: <email address hidden>
Date: Thu, 10 Nov 2005 00:57:38 +0100
From: Thomas Petazzoni <email address hidden>
To: Peter Samuelson <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#336373: subversion: svn MKCOL ssl error

--Signature_Thu__10_Nov_2005_00_57_38_+0100_FOYOQwFXuj1dyCjT
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

Hi,

On Wed, 9 Nov 2005 06:00:01 -0600
Peter Samuelson <email address hidden> wrote:

> Can you please retest with my packages at
> http://p12n.org/tmp/svn-336373/ ?

I've tested them, and I've been able to import the whole uClibc source
code through https:// without any problem (while it was previously
failing after a couple of files). So I think it's fixed.

BTW, your Packages.gz doesn't match the packages themselves: it
contains wrong sizes.

Thanks for the bug fix !

Sincerly,

Thomas
--=20
PETAZZONI Thomas - <email address hidden>=20
http://{thomas,sos,kos}.enix.org - Jabber: <email address hidden>
http://{agenda,livret}dulibre.org - http://www.toulibre.org
Fingerprint : 0BE1 4CF3 CEA4 AC9D CC6E 1624 F653 CB30 98D3 F7A7

--Signature_Thu__10_Nov_2005_00_57_38_+0100_FOYOQwFXuj1dyCjT
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDcoz49lPLMJjT96cRAtpkAKCQTeSVcSCBRUWi8bHhQlvWSmk70gCePrL8
AKFIeQAbGefu/llQtk0pnD4=
=J/5K
-----END PGP SIGNATURE-----

--Signature_Thu__10_Nov_2005_00_57_38_+0100_FOYOQwFXuj1dyCjT--

Message-Id: <email address hidden>
Date: Sat, 03 Dec 2005 22:02:09 -0800
From: Peter Samuelson <email address hidden>
To: <email address hidden>
Subject: Bug#336373: fixed in subversion 1.2.3dfsg1-3

Source: subversion
Source-Version: 1.2.3dfsg1-3

We believe that the bug you reported is fixed in the latest version of
subversion, which is due to be installed in the Debian FTP archive:

libapache2-svn_1.2.3dfsg1-3_i386.deb
  to pool/main/s/subversion/libapache2-svn_1.2.3dfsg1-3_i386.deb
libsvn-core-perl_1.2.3dfsg1-3_i386.deb
  to pool/main/s/subversion/libsvn-core-perl_1.2.3dfsg1-3_i386.deb
libsvn-javahl_1.2.3dfsg1-3_i386.deb
  to pool/main/s/subversion/libsvn-javahl_1.2.3dfsg1-3_i386.deb
libsvn0-dev_1.2.3dfsg1-3_i386.deb
  to pool/main/s/subversion/libsvn0-dev_1.2.3dfsg1-3_i386.deb
libsvn0_1.2.3dfsg1-3_i386.deb
  to pool/main/s/subversion/libsvn0_1.2.3dfsg1-3_i386.deb
python2.3-subversion_1.2.3dfsg1-3_i386.deb
  to pool/main/s/subversion/python2.3-subversion_1.2.3dfsg1-3_i386.deb
subversion-tools_1.2.3dfsg1-3_all.deb
  to pool/main/s/subversion/subversion-tools_1.2.3dfsg1-3_all.deb
subversion_1.2.3dfsg1-3.diff.gz
  to pool/main/s/subversion/subversion_1.2.3dfsg1-3.diff.gz
subversion_1.2.3dfsg1-3.dsc
  to pool/main/s/subversion/subversion_1.2.3dfsg1-3.dsc
subversion_1.2.3dfsg1-3_i386.deb
  to pool/main/s/subversion/subversion_1.2.3dfsg1-3_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Samuelson <email address hidden> (supplier of updated subversion package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 2 Dec 2005 16:22:44 -0600
Source: subversion
Binary: libsvn-core-perl libapache2-svn libsvn0 libsvn-javahl python2.3-subversion subversion-tools libsvn0-dev subversion
Architecture: source i386 all
Version: 1.2.3dfsg1-3
Distribution: unstable
Urgency: low
Maintainer: Guilherme de S. Pastore <email address hidden>
Changed-By: Peter Samuelson <email address hidden>
Description:
 libapache2-svn - apache modules for Subversion (aka. svn)
 libsvn-core-perl - perl bindings for Subversion (aka. svn)
 libsvn-javahl - java bindings for Subversion (aka. svn)
 libsvn0 - shared libraries used by Subversion (aka. svn)
 libsvn0-dev - development files for Subversion (aka. svn) libraries
 python2.3-subversion - python modules for interfacing with Subversion (aka. svn)
 subversion - advanced version control system (aka. svn)
 subversion-tools - assorted tools related to Subversion (aka. svn)
Closes: 285708 298822 310777 316097 335438 335455 336373 336781
Changes:
 subversion (1.2.3dfsg1-3) unstable; urgency=low
 .
   [ Peter Samuelson ]
   * rules: Remove the unwritten requirement that /usr/bin/python be
     specifically version 2.3:
     - derive...

Message-ID: <email address hidden>
Date: Mon, 02 Jan 2006 20:28:30 +1100
From: Daniel Pittman <email address hidden>
To: <email address hidden>
Subject: subversion: svn MKCOL ssl error

Package: subversion
Version: 1.2.3dfsg1-3
Severity: grave

G'day.

I have run into a problem where I can't commit a change to my subversion
repository via HTTP/SSL.

The problem seems identical to the one described in this bug report, but
my issues continue despite running the version that claims to have fixed
the problem.

The server is running an up-to-date version of unstable as well, and I
have verified that the same version of subversion and all appropriate
modules are installed and running on both sides.

The error I see is:

svn: Commit failed (details follow):
svn: MKCOL of '/svn/general/!svn/wrk/6796d7ea-5b09-0410-9cde-b6775cbebef8/debian/perl/librose-html-objects-perl-0.32/lib/Rose': SSL negotiation failed: SSL error: decryption failed or bad record mac (https://digital-infrastructure.com.au)

There are, annoyingly enough, no errors at all in the Apache logs on the
server side, which makes tracking this down much more annoying.

The commit in question is fairly large, as it adds 8.2MB of files,
representing 662 individual files.

Other commits seem to work just fine, but they are much smaller.

I have run into this once before -- but it was a much smaller commit, a
long time ago, and not at all reproducible. At the time I couldn't
identify any particular cause...

I wonder if perhaps this is some sort of SSL renegotiation bug that
triggers when submitting a sufficiently large commit or something?

         Daniel

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (990, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)

Versions of packages subversion depends on:
ii db4.3-util 4.3.29-3 Berkeley v4.3 Database Utilities
ii libapr0 2.0.55-3 the Apache Portable Runtime
ii libc6 2.3.5-9 GNU C Library: Shared libraries an
ii libneon24 0.24.7.dfsg-3 An HTTP and WebDAV client library
ii libsvn0 1.2.3dfsg1-3 shared libraries used by Subversio
ii patch 2.5.9-2 Apply a diff file to an original

subversion recommends no packages.

-- no debconf information

Message-ID: <email address hidden>
Date: Tue, 3 Jan 2006 13:24:55 -0500
From: Jim Paris <email address hidden>
To: <email address hidden>
Subject: Same issue

I've just found the same problem on my server. I haven't tried a big
commit, but I hit it when doing a svn diff of two large trees:

$ svn diff https://jim.sh/svn/jim/vendor/uqm/current https://ji...
svn: PROPFIND request failed on '/svn/jim/vendor/uqm/current/src/sc2code/libs/sound'
svn: PROPFIND of '/svn/jim/vendor/uqm/current/src/sc2code/libs/sound': Could not read status line: SSL error: decryption failed or bad record mac (https://jim.sh)

All subversion packages are 1.2.3dfsg1-3, libneon is 0.24.7.dfsg-3.

No client certs are being used. Large https transfers from this host
work fine, so it's not a network or general Apache issue.

-jim

Message-ID: <email address hidden>
Date: Fri, 6 Jan 2006 19:46:11 -0500
From: Jim Paris <email address hidden>
To: <email address hidden>
Subject: bug

I suppose this is just bug #338006 ...

-jim

Message-ID: <email address hidden>
Date: Fri, 6 Jan 2006 21:12:02 -0500
From: Jim Paris <email address hidden>
To: <email address hidden>
Subject: workaround

Sorry for all the spam..

This is definitely the openssl bug. It appears that the fix in
subversion 1.2.3dfsg1-3 only postponed the problem until libneon24
upgraded to openssl 0.9.8.

I found that a workaround is to limit the ciphers on the Apache end.
Removing all SSLv3 ciphers except RC4 seems to do the trick. For
example, my apache2 configuration now has:

  SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA

and subversion works again. This is a drastic measure, of course, but
I need my subversion repository to work.

I didn't reopen this bug because it's really a problem with openssl,
but maybe it's worth keeping this around so other people can find it.

-jim

Message-ID: <email address hidden>
Date: Fri, 6 Jan 2006 22:10:38 -0600
From: Peter Samuelson <email address hidden>
To: Jim Paris <email address hidden>, <email address hidden>
Subject: Re: Bug#336373: workaround

--apbmkPN6Hu/1dI3g
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

[Jim Paris]
> This is definitely the openssl bug. It appears that the fix in
> subversion 1.2.3dfsg1-3 only postponed the problem until libneon24
> upgraded to openssl 0.9.8.

That seems unlikely since libneon24 in unstable uses openssl 0.9.8.
=2E..Errrr, wait, are you saying openssl 0.9.7 has the bug, or 0.9.8?

I will ask people to retest with subversion 1.3.0-1, which uses
libneon25 and (opensel 0.9.8), as soon as our 1.3.0-1 gets through NEW
processing and into experimental.

> I found that a workaround is to limit the ciphers on the Apache end.
> Removing all SSLv3 ciphers except RC4 seems to do the trick. For
> example, my apache2 configuration now has:
>=20
> SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA

Thanks for the workaround!

Peter

--apbmkPN6Hu/1dI3g
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDvz8+Xk7sIRPQRh0RAjjdAJwMFomWaaDBeajgebX6EZCGXGzOVQCdEhYF
3S++dByG8ou1HLL/MPphP5c=
=4i49
-----END PGP SIGNATURE-----

--apbmkPN6Hu/1dI3g--

Message-ID: <email address hidden>
Date: Fri, 6 Jan 2006 23:19:08 -0500
From: Jim Paris <email address hidden>
To: Peter Samuelson <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#336373: workaround

> > This is definitely the openssl bug. It appears that the fix in
> > subversion 1.2.3dfsg1-3 only postponed the problem until libneon24
> > upgraded to openssl 0.9.8.
>
> That seems unlikely since libneon24 in unstable uses openssl 0.9.8.
> ...Errrr, wait, are you saying openssl 0.9.7 has the bug, or 0.9.8?

I'm not quite sure what you mean. I'm using 0.9.8 all around. As far
as I can tell, the bug was introduced in openssl 0.9.8, and only shows
up when both client and server are 0.9.8.

-jim

Message-ID: <email address hidden>
Date: Fri, 6 Jan 2006 22:22:49 -0600
From: Peter Samuelson <email address hidden>
To: Jim Paris <email address hidden>, <email address hidden>
Subject: Re: Bug#336373: workaround

--KjSGHOmKKB2VUiQn
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

[Peter Samuelson]
> That seems unlikely since libneon24 in unstable uses openssl 0.9.8.
> ...Errrr, wait, are you saying openssl 0.9.7 has the bug, or 0.9.8?

Never mind. Having read #338006, all is clear now. Thanks again for
the information.

Peter

--KjSGHOmKKB2VUiQn
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDv0IYXk7sIRPQRh0RApkrAKCRrgmlOOI3slrqI6wzWM1qEjRhDgCdElld
Pk71J84/q5I5EEKtcsxQDMc=
=rQSu
-----END PGP SIGNATURE-----

--KjSGHOmKKB2VUiQn--

This was a libssl bug which has since been fixed, and the fixed version is in dapper.