Hi Julian,
Draft which may save you some time:
First patch against trunk:
[[[
* site/staging/faq.html:
Add entry for "An error occurred during SSL communication" error.
]]]
Second patch against trunk:
[[[
* site/staging/docs/release-notes/1.10.html:
Add entry for an OpenSSL upgrade causing "An error occurred during SSL
communication" error.
]]]
Cheers,
Folker
On 2018-08-01 15:03, Julian Foad wrote:
Folker Schamel wrote:
Hi Stefan,
That's the catch here. Subversion does not ship with OpenSSL by
itself. From Subversion's point of view this is a 3rd-party
dependency. [...] It could be something worthwhile adding to the FAQ
however, though then in a more general manner like: Troubleshooting
Subversion SSL connection.
Good point.
The FAQ seems to be a good place.
Nevertheless, in such situations we are probably not the only ones
looking primarily into the Subversion release notes, not so much into
the Debian documentation or Subversion FAQ, because the problem
seemingly was caused - in simple terms - by the Subversion update.
Also note that new releases of distributions of Subversion are
usually strongly correlated with new Subversion releases.
So I still suggest to also put a warning in the Subversion release
notes, for example:
"Your distribution may also upgrade OpenSSL along with the Subversion
upgrade, which may cause trouble, see xxxx in the FAQ."
At least us it would have spared a lot of time ;-)
Even if you may insist that this logically the "wrong" place,
sometimes a note in such a "wrong" place can be very helpful for
users who are looking in that "wrong" place, ;-)
I agree -- when something like this hits users in real life, we should
add it to the release notes, either in total or as a pointer to a FAQ.
And I want to say thank you for writing a helpful description for
other users to diagnose the problem after being troubled by it yourself.
If no-one else volunteers, I will try to do it in the next day or two
(but I haven't much time).
- Julian
Index: staging/faq.html
===================================================================
--- staging/faq.html (revision 1837244)
+++ staging/faq.html (working copy)
@@ -1,4 +1,4 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml";>
<head>
@@ -256,6 +256,8 @@
characters do not seem to be working?</a></li>
<li><a href="#dav-slow-copy">Why does an HTTP(S) URL-to-URL copy or
branch/tag operation take a long time?</a></li>
+<li><a href="#ssl-communication-error">When performing Subversion operations
+ over SSL, I get the error <tt>An error occurred during SSL
communication</tt></a></li>
</ul>
<h4>Developer questions:</h4>
@@ -4158,8 +4160,50 @@
</div>
+<div class="h3" id="ssl-communication-error">
+
+<h3>When performing Subversion operations
+ over SSL, I get the error <tt>An error occurred during SSL
communication</tt>
+ <a class="sectionlink" href="#ssl-communication-error"
+ title="Link to this section">¶</a>
+</h3>
+<p>
+SSL communication errors can have various reasons.
+You can use the openssl binary to debug the ssl connection.
+<pre>
+openssl s_client -connect example.com:443 -servername example.com
+</pre>
+If you use a client certificate,
+then you need to convert Subversion's client certificate from pkcs12 to pem
first:
+<pre>
+openssl pkcs12 -in path/to/svn/cert.p12 -out cert.pem
+</pre>
+Then you can use:
+<pre>
+openssl s_client -connect example.com:443 -servername example.com -cert
cert.pem
+</pre>
+If you are using ssl-authority-files in <tt>.subversion/servers</tt> to verify
+the server cert you can get <tt>s_client</tt> to do the same with the
additional
+parameter:
+<pre>
+openssl s_client ... -CAfile path/to/authority.pem
+</pre>
+The <tt>s_client</tt> output may indicate what problem is occurring.
+</p>
+
+<p>
+For example, if <tt>s_client</tt> reports
+<pre>
+error setting certificate
+140258270184704:error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too
weak:../ssl/ssl_rsa.c:303:
+</pre>
+then creating new CA keys with sha256 instead of md5 should solve the problem.
+</p>
+
</div>
+</div>
+
<div class="h2" id="developer-questions">
<h2>Developer questions:
<a class="sectionlink" href="#developer-questions"
Index: staging/docs/release-notes/1.10.html
===================================================================
--- staging/docs/release-notes/1.10.html (revision 1837244)
+++ staging/docs/release-notes/1.10.html (working copy)
@@ -1,4 +1,4 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml";>
<head>
@@ -291,6 +291,43 @@
</div> <!-- svnserve-use-sasl -->
+<div class="h4" id="new-ca-keys">
+<h4>New CA keys may be required
+ <a class="sectionlink" href="#new-ca-keys"
+ title="Link to this section">¶</a>
+</h4>
+
+<p>
+Some binary distributions of this new Subversion version
+may link to a newer OpenSSL version than previous distributions.
+This may lead to different behavior.
+</p>
+
+<p>
+Especially, some distributions may link this Subversion release to OpenSSL 1.1
instead of OpenSSL 1.0.
+OpenSSL 1.1 does not allow md5 hashes for CA keys anymore.
+When using client certificates signed by such a CA,
+the new Subversion client may fail with <tt>An error occurred during SSL
communication</tt>.
+You can analyze the underlying cause by first converting the client
certificate from p12 to pem by
+<pre>
+openssl pkcs12 -in path/to/svn/cert.p12 -out cert.pem
+</pre>
+and then testing the SSL connection by
+<pre>
+openssl s_client -connect example.com:443 -servername example.com -cert
cert.pem
+</pre>
+If this test connection fails with <tt>ca md too weak</tt>
+then creating new CA keys using sha256 instead of md5
+and corresponding new client certificates should solve the problem.
+</p>
+
+<p>
+See also <a href="/faq.html#ssl-communication-error">When performing
Subversion operations
+over SSL, I get the error <tt>An error occurred during SSL
communication</tt></a>
+</p>
+
+</div> <!-- new-ca-keys -->
+
</div> <!-- compat-misc -->
</div> <!-- compatibility -->
