Hello everyone,
After upgrading, Subversion SSL connections with "SSLVerifyClient
require" seem to be broken.
Broken: SVN Client 1.9.5, Serf 1.3.9-3, Server "SSLVerifyClient require"
Works: SVN Client 1.9.5, Serf 1.3.9-3, Server "SSLVerifyClient off"
Works: SVN Client 1.9.5, Serf 1.3.8-1, Server "SSLVerifyClient require"
For the broken setup, the client reports:
svn: E120171: Error running context: An error occurred during SSL
communication
And the server Apache log reports:
ssl_engine_io.c(1308): (70014)End of file found: [client xxxxx:xxxxx]
AH02007: SSL handshake interrupted by system [Hint: Stop button pressed
in browser?!]
Using the latest TortoiseSVN client reports the same problem, presumably
the same cause.
Additional details below.
Can I help with additional information?
Btw, thanks a lot to all Subversion developers and contributors for the
awesome work!!!
Cheers,
Folker
***** Client-side recipt (latest Debian stretch):
root@xxxxx:/# apt-get install libserf-1-1=1.3.8-1
.....
root@xxxxx:/# svn --version
svn, version 1.9.5 (r1770682)
compiled Jun 30 2018, 13:44:22 on x86_64-pc-linux-gnu
Copyright (C) 2016 The Apache Software Foundation.
This software consists of contributions made by many people;
see the NOTICE file for more information.
Subversion is open source software, see http://subversion.apache.org/
The following repository access (RA) modules are available:
* ra_svn : Module for accessing a repository using the svn network protocol.
- with Cyrus SASL authentication
- handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
- handles 'file' scheme
* ra_serf : Module for accessing a repository via WebDAV protocol using
serf.
- using serf 1.3.8 (compiled with 1.3.9)
- handles 'http' scheme
- handles 'https' scheme
The following authentication credential caches are available:
* Plaintext cache in /root/.subversion
* Gnome Keyring
* GPG-Agent
* KWallet (KDE)
root@xxxxx:/# svn update
Updating '.':
At revision 828.
root@xxxxx:/# apt-get install libserf-1-1=1.3.9-3
.....
root@xxxxx:/# svn --version
svn, version 1.9.5 (r1770682)
compiled Jun 30 2018, 13:44:22 on x86_64-pc-linux-gnu
Copyright (C) 2016 The Apache Software Foundation.
This software consists of contributions made by many people;
see the NOTICE file for more information.
Subversion is open source software, see http://subversion.apache.org/
The following repository access (RA) modules are available:
* ra_svn : Module for accessing a repository using the svn network protocol.
- with Cyrus SASL authentication
- handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
- handles 'file' scheme
* ra_serf : Module for accessing a repository via WebDAV protocol using
serf.
- using serf 1.3.9 (compiled with 1.3.9)
- handles 'http' scheme
- handles 'https' scheme
The following authentication credential caches are available:
* Plaintext cache in /root/.subversion
* Gnome Keyring
* GPG-Agent
* KWallet (KDE)
root@xxxxx:/# svn update
Updating '.':
svn: E170013: Unable to connect to a repository at URL
'https://xxxxx/xxxxx/xxxxx'
svn: E120171: Error running context: An error occurred during SSL
communication
root@xxxxx:/#
***** Client-side recipt continuation after SSLVerifyClient require -> off
root@xxxxx:/# svn update
Updating '.':
At revision 828.
root@xxxxx:/#
***** Server-side ssl-error.log:
...
[Tue Jul 31 15:30:43.885515 2018] [ssl:info] [pid xxxxx:tid xxxxx]
[client xxxxx:xxxxx] AH01964: Connection to child 68 established (server
localhost:443)
[Tue Jul 31 15:30:43.885795 2018] [ssl:trace2] [pid xxxxx:tid xxxxx]
ssl_engine_rand.c(126): Seeding PRNG with 656 bytes of entropy
[Tue Jul 31 15:30:43.885983 2018] [ssl:trace3] [pid xxxxx:tid xxxxx]
ssl_engine_kernel.c(1989): [client xxxxx:xxxxx] OpenSSL: Handshake: start
[Tue Jul 31 15:30:43.886064 2018] [ssl:trace3] [pid xxxxx:tid xxxxx]
ssl_engine_kernel.c(1998): [client xxxxx:xxxxx] OpenSSL: Loop:
before/accept initialization
[Tue Jul 31 15:30:43.886114 2018] [ssl:trace4] [pid xxxxx:tid xxxxx]
ssl_engine_io.c(2135): [client xxxxx:xxxxx] OpenSSL: read 5/5 bytes from
BIO#7fcef0001580 [mem: 7fcef0006dc3] (BIO dump follows)
[Tue Jul 31 15:30:43.886134 2018] [ssl:trace4] [pid xxxxx:tid xxxxx]
ssl_engine_io.c(2135): [client xxxxx:xxxxx] OpenSSL: read 191/191 bytes
from BIO#7fcef0001580 [mem: 7fcef0006dc8] (BIO dump follows)
[Tue Jul 31 15:30:43.886183 2018] [ssl:debug] [pid xxxxx:tid xxxxx]
ssl_engine_kernel.c(2122): [client xxxxx:xxxxx] AH02044: No matching SSL
virtual host for servername xxxxx found (using default/first virtual host)
[Tue Jul 31 15:30:43.886258 2018] [ssl:trace3] [pid xxxxx:tid xxxxx]
ssl_engine_kernel.c(1998): [client xxxxx:xxxxx] OpenSSL: Loop: unknown state
[Tue Jul 31 15:30:43.886294 2018] [ssl:trace3] [pid xxxxx:tid xxxxx]
ssl_engine_kernel.c(1998): [client xxxxx:xxxxx] OpenSSL: Loop: unknown state
[Tue Jul 31 15:30:43.886419 2018] [ssl:trace3] [pid xxxxx:tid xxxxx]
ssl_engine_kernel.c(1998): [client xxxxx:xxxxx] OpenSSL: Loop: unknown state
[Tue Jul 31 15:30:43.908313 2018] [ssl:trace3] [pid xxxxx:tid xxxxx]
ssl_engine_kernel.c(1998): [client xxxxx:xxxxx] OpenSSL: Loop: unknown state
[Tue Jul 31 15:30:43.908537 2018] [ssl:trace3] [pid xxxxx:tid xxxxx]
ssl_engine_kernel.c(1998): [client xxxxx:xxxxx] OpenSSL: Loop: unknown state
[Tue Jul 31 15:30:43.908769 2018] [ssl:trace4] [pid xxxxx:tid xxxxx]
ssl_engine_io.c(2135): [client xxxxx:xxxxx] OpenSSL: write 2173/2173
bytes to BIO#7fcef0001500 [mem: 7fcef0014030] (BIO dump follows)
[Tue Jul 31 15:30:43.909055 2018] [core:trace6] [pid xxxxx:tid xxxxx]
core_filters.c(525): [client xxxxx:xxxxx] core_output_filter: flushing
because of FLUSH bucket
[Tue Jul 31 15:30:43.909342 2018] [ssl:trace3] [pid xxxxx:tid xxxxx]
ssl_engine_kernel.c(1998): [client xxxxx:xxxxx] OpenSSL: Loop: unknown state
[Tue Jul 31 15:30:43.918838 2018] [ssl:trace4] [pid xxxxx:tid xxxxx]
ssl_engine_io.c(2144): [client xxxxx:xxxxx] OpenSSL: I/O error, 5 bytes
expected to read on BIO#7fcef0001580 [mem: 7fcef00150e3]
[Tue Jul 31 15:30:43.919121 2018] [ssl:trace3] [pid xxxxx:tid xxxxx]
ssl_engine_kernel.c(2027): [client xxxxx:xxxxx] OpenSSL: Exit: error in
unknown state
[Tue Jul 31 15:30:43.919427 2018] [ssl:debug] [pid xxxxx:tid xxxxx]
ssl_engine_io.c(1308): (70014)End of file found: [client xxxxx:xxxxx]
AH02007: SSL handshake interrupted by system [Hint: Stop button pressed
in browser?!]
[Tue Jul 31 15:30:43.919615 2018] [ssl:info] [pid xxxxx:tid xxxxx]
[client xxxxx:xxxxx] AH01998: Connection closed to child 68 with
abortive shutdown (server localhost:443)
...
***** Server-side Apache configuration (latest Debian stretch):
<VirtualHost>
.....
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /xxxxx/xxxxx.pem
</VirtualHost>
<Location /svn>
SetOutputFilter DEFLATE
SetInputFilter DEFLATE
Header append Vary User-Agent env=!dont-vary
</Location>
<Location /svn/xxxxx>
DAV svn
SVNPath /xxxxx
SVNAutoversioning On
SVNPathAuthz On
AuthType Basic
AuthName "xxxxx"
AuthUserFile /xxxxx/xxxxx
AuthzSVNAccessFile /xxxxx/xxxxx
Require valid-user
.....
</Location>
*****
