Debian Bug report logs - #474139
libneon27: Breaks access to some Subversion repositories

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Roland Mas <lolando@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libneon27: Breaks access to some Subversion repositories

Date: Thu, 03 Apr 2008 18:17:52 +0200

Package: libneon27
Version: 0.28.1-2
Severity: normal

It seems there's been a regression between libneon 0.27.2-1 and
0.28.1-2.  The latter doesn't let me access the svn.gforge.org
repository.  I get the following error:

$ svn ls https://svn.gforge.org/svn/gforge
svn: PROPFIND request failed on '/svn/gforge'
svn: PROPFIND of '/svn/gforge': SSL negotiation failed: SSL error: bad decompression (https://svn.gforge.org)

  Downgrading to the previous version seems to "fix" the problem:

$ sudo dpkg -i libneon27_0.27.2-1_i386.deb 
dpkg - warning: downgrading libneon27 from 0.28.1-2 to 0.27.2-1.
(Reading database ... 191420 files and directories currently installed.)
Preparing to replace libneon27 0.28.1-2 (using libneon27_0.27.2-1_i386.deb) ...
Unpacking replacement libneon27 ...
Setting up libneon27 (0.27.2-1) ...
$ svn ls https://svn.gforge.org/svn/gforge
branches/
tags/
trunk/
$ 

Roland.
-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libneon27 depends on:
ii  libc6                 2.7-10             GNU C Library: Shared libraries
ii  libcomerr2            1.40.8-2           common error description library
ii  libkrb53              1.6.dfsg.3~beta1-4 MIT Kerberos runtime libraries
ii  libssl0.9.8           0.9.8g-8           SSL shared libraries
ii  libxml2               2.6.31.dfsg-2      GNOME XML library
ii  zlib1g                1:1.2.3.3.dfsg-11  compression library - runtime

Versions of packages libneon27 recommends:
ii  ca-certificates             20070303-0.1 Common CA certificates

-- no debconf information

Message #12 received at 474139@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi <gcs@debian.hu>

To: 474139@bugs.debian.org

Subject: Re: Bug#474139: libneon27: Breaks access to some Subversion repositories

Date: Mon, 07 Apr 2008 18:24:13 +0200

Hi Roland,

On Thu, 2008-04-03 at 18:17 +0200, Roland Mas wrote:
> It seems there's been a regression between libneon 0.27.2-1 and
> 0.28.1-2.  The latter doesn't let me access the svn.gforge.org
> repository.  I get the following error:
> 
> $ svn ls https://svn.gforge.org/svn/gforge
> svn: PROPFIND request failed on '/svn/gforge'
> svn: PROPFIND of '/svn/gforge': SSL negotiation failed: SSL error: bad decompression (https://svn.gforge.org)
> 
>   Downgrading to the previous version seems to "fix" the problem:
 Do you know anything from the server side? Searching on Google revealed
that others have similar problems in the past, which was solved by some
upgrade of Subversion on the server side.
Other sites work. See:
svn ls https://llvm.org/svn/llvm-project/llvm/
svn ls https://publicsvn.songbirdnest.com/songbird/client/
svn ls https://opends.dev.java.net/svn/opends/ (guest/empty password)

My private repositories also work over https. It may be an openssl
issue, at least I couldn't find the mentioned error message in the
source of neon.

Will investigate further,
Laszlo/GCS

Message #17 received at 474139@bugs.debian.org (full text, mbox, reply):

From: Roland Mas <lolando@debian.org>

To: 474139@bugs.debian.org

Subject: Re: Bug#474139: libneon27: Breaks access to some Subversion repositories

Date: Wed, 09 Apr 2008 13:46:24 +0200

[Please keep the submitter in Cc: when replying to bugs, otherwise
they can't see you've answered unless polling the web interface]

> Do you know anything from the server side? Searching on Google revealed
> that others have similar problems in the past, which was solved by some
> upgrade of Subversion on the server side.

I don't know much, apart that the admin isn't very active.  The server
may be rather old, since it doesn't support some feature I wanted to
use at some point (forgot which), but since the problem appeared when
upgrading neon, my guess is that the fault isn't in the server.

Roland.
-- 
Roland Mas

M-x execute-extended-command

Message #22 received at 474139@bugs.debian.org (full text, mbox, reply):

From: Joost van Baal <j.e.vanbaal+debian-bugs@uvt.nl>

To: 474139@bugs.debian.org

Subject: same here

Date: Tue, 15 Apr 2008 15:44:18 +0200

[Message part 1 (text/plain, inline)]

Hi,

The upgrade libneon27 0.27.2-1 -> 0.28.2-1 broke access to https svn
servers here: "svn up" gives:

 Error validating server certificate for 'https://example.com:443':
  - The certificate is not issued by a trusted authority. Use the
    fingerprint to validate the certificate manually!

.  It seems the upgrade causes svn to inspect
/etc/ssl/certs/ca-certificates.crt only (and not the symlink indexed
files in that directory).

A workaround is to set ssl-authority-files in ~/.subversion/servers.

Thanks, Bye,

Joost

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 474139-close@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi (GCS) <gcs@debian.hu>

To: 474139-close@bugs.debian.org

Subject: Bug#474139: fixed in neon27 0.28.2-2

Date: Sun, 27 Apr 2008 18:32:12 +0000

Source: neon27
Source-Version: 0.28.2-2

We believe that the bug you reported is fixed in the latest version of
neon27, which is due to be installed in the Debian FTP archive:

libneon27-dbg_0.28.2-2_amd64.deb
  to pool/main/n/neon27/libneon27-dbg_0.28.2-2_amd64.deb
libneon27-dev_0.28.2-2_amd64.deb
  to pool/main/n/neon27/libneon27-dev_0.28.2-2_amd64.deb
libneon27-gnutls-dbg_0.28.2-2_amd64.deb
  to pool/main/n/neon27/libneon27-gnutls-dbg_0.28.2-2_amd64.deb
libneon27-gnutls-dev_0.28.2-2_amd64.deb
  to pool/main/n/neon27/libneon27-gnutls-dev_0.28.2-2_amd64.deb
libneon27-gnutls_0.28.2-2_amd64.deb
  to pool/main/n/neon27/libneon27-gnutls_0.28.2-2_amd64.deb
libneon27_0.28.2-2_amd64.deb
  to pool/main/n/neon27/libneon27_0.28.2-2_amd64.deb
neon27_0.28.2-2.diff.gz
  to pool/main/n/neon27/neon27_0.28.2-2.diff.gz
neon27_0.28.2-2.dsc
  to pool/main/n/neon27/neon27_0.28.2-2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 474139@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.hu> (supplier of updated neon27 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 21 Apr 2008 13:56:22 +0200
Source: neon27
Binary: libneon27 libneon27-dev libneon27-dbg libneon27-gnutls libneon27-gnutls-dev libneon27-gnutls-dbg
Architecture: source amd64
Version: 0.28.2-2
Distribution: unstable
Urgency: low
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.hu>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.hu>
Description: 
 libneon27  - An HTTP and WebDAV client library
 libneon27-dbg - Detached symbols for libneon27
 libneon27-dev - Header and static library files for libneon27
 libneon27-gnutls - An HTTP and WebDAV client library (GnuTLS enabled)
 libneon27-gnutls-dbg - Detached symbols for libneon27 (GnuTLS enabled)
 libneon27-gnutls-dev - Header and static library files for libneon27 (GnuTLS enabled)
Closes: 474139 476571
Changes: 
 neon27 (0.28.2-2) unstable; urgency=low
 .
   * Only the GnuTLS flavour needs to be configured with --with-ca-bundle
     (closes: #474139).
   * Fix segfault with dav/https shares (closes: #476571), thanks to
     Yves-Alexis Perez for the patch.
Checksums-Sha1: 
 79cdda5a28e6da380f8e00597201b32c40789655 1218 neon27_0.28.2-2.dsc
 596dcfdc0f62c61704279cdb7eab1c635ba68c35 7797 neon27_0.28.2-2.diff.gz
 45cd69dc2a3ed46fd8babaedc17ab5600c4fd538 144336 libneon27_0.28.2-2_amd64.deb
 202912eca074b7b2a6d44a82c306a907d3edf6b1 416180 libneon27-dev_0.28.2-2_amd64.deb
 cdebf19cd7cf4b7f8c3d020e7039248fbc16d126 186400 libneon27-dbg_0.28.2-2_amd64.deb
 4fc2a5eb1d242abcf15e0a3d1cfdf00452a8d49f 118842 libneon27-gnutls_0.28.2-2_amd64.deb
 67be3a6a9e931c8f9a7a42b58cfaf3faec0c2170 390168 libneon27-gnutls-dev_0.28.2-2_amd64.deb
 a1b53f53600ccaa6958c7a034eb72b7801b32766 167828 libneon27-gnutls-dbg_0.28.2-2_amd64.deb
Checksums-Sha256: 
 730a1663c85449eb957ed3dacce666629cc17916078e9f8eb746bd42a7c65e72 1218 neon27_0.28.2-2.dsc
 b02bffead850d93b07e9486b18afcb469fedcc6a374b5686a8b28eb342397429 7797 neon27_0.28.2-2.diff.gz
 b07024e3690282a3f3828f1ff0d85d8625990335eca998755a0d4b9d62d421b2 144336 libneon27_0.28.2-2_amd64.deb
 d66ce288e5d4b4011f87776b27c4b9b858f025c9048d72f835a93b38c154eb90 416180 libneon27-dev_0.28.2-2_amd64.deb
 1aa4996df68f9455c899673dfe770045ea3759d352c02dd9099ca9d94f596823 186400 libneon27-dbg_0.28.2-2_amd64.deb
 2a9f88baf269c1918690442562bd7ebd36b611a42d6239d5498e99293de1ac84 118842 libneon27-gnutls_0.28.2-2_amd64.deb
 8b1f91fdfe07d03ec766c7d043680b937d6e9296fac8a81776c120adbf4c88d6 390168 libneon27-gnutls-dev_0.28.2-2_amd64.deb
 d0433d7e19aa8553b83d0107fb7bd1bc956905dc57e093c13c8d710475a3080c 167828 libneon27-gnutls-dbg_0.28.2-2_amd64.deb
Files: 
 efcaccc1adf69f4a508968e36be8e0f9 1218 net optional neon27_0.28.2-2.dsc
 149d89a974f382fc35671f434c60f399 7797 net optional neon27_0.28.2-2.diff.gz
 cbf8c281546123ea2ac8a9628e98cbc8 144336 libs optional libneon27_0.28.2-2_amd64.deb
 fae7980fa586318214d46ecb67810018 416180 libdevel optional libneon27-dev_0.28.2-2_amd64.deb
 56422a046971dac02cbbc4691e8bbf24 186400 libdevel extra libneon27-dbg_0.28.2-2_amd64.deb
 b1048921ffe733a956817da62286b200 118842 libs optional libneon27-gnutls_0.28.2-2_amd64.deb
 446b10a5452bba02b1845d98d1e11502 390168 libdevel optional libneon27-gnutls-dev_0.28.2-2_amd64.deb
 02b9cc103f0a28e52c52f6672058fc30 167828 libdevel extra libneon27-gnutls-dbg_0.28.2-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkgUxGkACgkQMDatjqUaT91dlgCfV/8olMfGTfyXaJWPEfm0gcHp
xY4An3l+OpRaUFtyXEqAiuP+oIoiW1A4
=LGPB
-----END PGP SIGNATURE-----

Message #32 received at 474139@bugs.debian.org (full text, mbox, reply):

From: Roland Mas <lolando@debian.org>

To: Debian BTS control <control@bugs.debian.org>, Laszlo Boszormenyi (GCS) <gcs@debian.hu>

Cc: 474139@bugs.debian.org

Subject: #474139 not fixed (libneon27)

Date: Tue, 29 Apr 2008 09:04:58 +0200

reopen 474139
found 474139 0.28.2-2
thanks

The 0.28.2-2 upload doesn't really fix the problem, I'm afraid:

roland@mirexpress ~ $ dpkg -l libneon27
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name                  Version               Description
+++-=====================-=====================-==========================================================
ii  libneon27             0.28.2-2              An HTTP and WebDAV client library
roland@mirexpress ~ $ svn ls https://svn.gforge.org/svn/gforge/
svn: PROPFIND request failed on '/svn/gforge'
svn: PROPFIND of '/svn/gforge': SSL negotiation failed: SSL error: bad decompression (https://svn.gforge.org)
roland@mirexpress ~ $ sudo dpkg -i /home/roland/libneon27_0.27.2-1_i386.deb 
dpkg - warning: downgrading libneon27 from 0.28.2-2 to 0.27.2-1.
(Reading database ... 195083 files and directories currently installed.)
Preparing to replace libneon27 0.28.2-2 (using .../libneon27_0.27.2-1_i386.deb) ...
Unpacking replacement libneon27 ...
Setting up libneon27 (0.27.2-1) ...
roland@mirexpress ~ $ svn ls https://svn.gforge.org/svn/gforge/
branches/
tags/
trunk/
roland@mirexpress ~ $ 

Roland.
-- 
Roland Mas

Two elephants fell off a cliff.
Boom, boom.

Message #41 received at 474139@bugs.debian.org (full text, mbox, reply):

From: Frank Ganske <frank.ganske@web.de>

To: Laszlo Boszormenyi <gcs@debian.hu>

Cc: 478142@bugs.debian.org, 474139@bugs.debian.org

Subject: Bug#478142: subversion: svn "SSL negotiation failed:" in lenny since 4/15/2008

Date: Thu, 01 May 2008 19:19:30 +0200

Hello,

please have a look at Bug#478142 too. I run into problems with my 
companys Subversion repository after upgrading libneon27 (0.27.2-1) to 
0.28.2-1 and libneon27-gnutls (0.27.2-1) to 0.28.2-1.

Regards Frank

Message #46 received at 474139@bugs.debian.org (full text, mbox, reply):

From: Peter Samuelson <peter@p12n.org>

To: Frank Ganske <frank.ganske@web.de>

Cc: 478142@bugs.debian.org, 474139@bugs.debian.org

Subject: Re: Bug#478142: subversion: svn "SSL negotiation failed:" in lenny since 4/15/2008

Date: Thu, 1 May 2008 13:49:10 -0500

[Frank Ganske]
> I've figured out the dependency. A svn up command works well, after
> downgrade libneon27_0.28.2.1 to 0.27.2.1 and
> libneon27-gnutls_0.28.2.1 to 0.27.2.1.

Thanks for following up, Frank.

I've been thinking of using libneon27-gnutls instead of libneon27
anyway - according to Joe Orton (neon upstream), svn doesn't use any of
the openssl-specific features.  Could you try this build?

  http://p12n.org/tmp/svn-gnutls/

(Also, if you haven't tried libneon27 0.28.2-2 yet, please try that too.)

Thanks,
-- 
Peter Samuelson | org-tld!p12n!peter | http://p12n.org/

Message #51 received at 474139@bugs.debian.org (full text, mbox, reply):

From: Frank Ganske <frank.ganske@web.de>

To: Peter Samuelson <peter@p12n.org>

Cc: 478142@bugs.debian.org, 474139@bugs.debian.org

Subject: Re: Bug#478142: subversion: svn "SSL negotiation failed:" in lenny since 4/15/2008

Date: Thu, 01 May 2008 23:36:54 +0200

Peter Samuelson schrieb:
> I've been thinking of using libneon27-gnutls instead of libneon27
> anyway - according to Joe Orton (neon upstream), svn doesn't use any of
> the openssl-specific features.  Could you try this build?
> 
>   http://p12n.org/tmp/svn-gnutls/

> (Also, if you haven't tried libneon27 0.28.2-2 yet, please try that too.)

First I have updated libneon27 0.28.2-1 to 0.28.2-2 in my chrooted sid 
environment with no success. It shows the same failure as before.

After this I have installed subversion and libsvn1 from your URL with 
dpkg. It would'nt be configured since it miss libneon27-gnutls. After 
installing libneon27-gnutls with aptitude the svn ls command works well 
in sid.

Third, I've installed your packages in my lenny environment. I had to 
remove libsvn-java and libsvn-javahl before (I don't know if/where I've 
used it). And after this, the svn up command works in lenny too.

Message #56 received at 474139@bugs.debian.org (full text, mbox, reply):

From: Peter Samuelson <peter@p12n.org>

To: Frank Ganske <frank.ganske@web.de>

Cc: 478142@bugs.debian.org, 474139@bugs.debian.org

Subject: Re: Bug#478142: subversion: svn "SSL negotiation failed:" in lenny since 4/15/2008

Date: Thu, 1 May 2008 18:48:03 -0500

[Message part 1 (text/plain, inline)]

[Frank Ganske]
> After this I have installed subversion and libsvn1 from your URL with dpkg. 
> It would'nt be configured since it miss libneon27-gnutls. After installing 
> libneon27-gnutls with aptitude the svn ls command works well in sid.

Thanks!  I will close this bug when I upload using libneon27-gnutls.
-- 
Peter Samuelson | org-tld!p12n!peter | http://p12n.org/

[signature.asc (application/pgp-signature, inline)]

Message #61 received at 474139@bugs.debian.org (full text, mbox, reply):

From: Roland Mas <lolando@debian.org>

To: Laszlo Boszormenyi (GCS) <gcs@debian.hu>, 474139@bugs.debian.org

Subject: Re: #474139 not fixed (libneon27)

Date: Mon, 05 May 2008 11:29:09 +0200

Roland Mas, 2008-04-29 09:04:58 +0200 :

> reopen 474139
> found 474139 0.28.2-2
> thanks
>
> The 0.28.2-2 upload doesn't really fix the problem, I'm afraid:

For some reason the problem doesn't occur any more today.  It may be a
coincidence, but today was the day where libneon27-gnutls was pulled
in by dependencies.

Roland.
-- 
Roland Mas

Sauvez les castors, plantez des arbres.

Message #66 received at 474139@bugs.debian.org (full text, mbox, reply):

From: "Daniel Franganillo" <dfranganillo@gmail.com>

To: 474139@bugs.debian.org

Subject: Similar problem here.

Date: Tue, 6 May 2008 16:24:21 +0200

Hi,
ive just updated my SID box and it pulled libneon27 et al on version 0.28.2-2.
It just broke any subversion operation on my svn server.

tritt@morgana:/opt/blah$ svn st -u
svn: PROPFIND request failed on '/svn/blah'
svn: PROPFIND of '/svn/blah': SSL negotiation failed: SSL error: Key
usage violation in certificate has been detected. (https://bleh)

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.24v1 (SMP w/2 CPU cores)
Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8)
(ignored: LC_ALL set to es_ES.UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libneon27 depends on:
ii  libc6                  2.7-10            GNU C Library: Shared libraries
ii  libcomerr2             1.40.8-2          common error description library
ii  libkrb53               1.6.dfsg.3-1      MIT Kerberos runtime libraries
ii  libssl0.9.8            0.9.8g-8          SSL shared libraries
ii  libxml2                2.6.32.dfsg-2     GNOME XML library
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

Message #71 received at 474139@bugs.debian.org (full text, mbox, reply):

From: Benjamin Gufler <gufler@cs.tum.edu>

To: Debian Bug Tracking System <474139@bugs.debian.org>

Subject: libneon27-gnutls: Same problem again

Date: Fri, 30 May 2008 14:42:45 +0200

Package: libneon27-gnutls
Version: 0.28.2-2
Followup-For: Bug #474139

Hi,

same problem on my box - when using svn, I get:

benj@xxxx:~/am$ svn up
svn: PROPFIND request failed on '/repo/hb/src/am/trunk'
svn: PROPFIND of '/repo/hb/src/am/trunk': SSL negotiation failed: SSL
error: Key usage violation in certificate has been detected.
(https://***********)

Benjamin


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-2-vserver-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libneon27-gnutls depends on:
ii  libc6                  2.7-11            GNU C Library: Shared libraries
ii  libcomerr2             1.40.8-2          common error description library
ii  libgnutls26            2.2.5-1           the GNU TLS library - runtime libr
ii  libkrb53               1.6.dfsg.3-2      MIT Kerberos runtime libraries
ii  libxml2                2.6.32.dfsg-2     GNOME XML library
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

Versions of packages libneon27-gnutls recommends:
ii  ca-certificates               20080514   Common CA certificates

-- no debconf information

Message #76 received at 474139@bugs.debian.org (full text, mbox, reply):

From: Joost van Baal <j.e.vanbaal+debian-bugs@uvt.nl>

To: Debian Bug Tracking System <474139@bugs.debian.org>

Subject: svn https: Error validating server certificate

Date: Mon, 2 Jun 2008 16:05:22 +0200

[Message part 1 (text/plain, inline)]

Hi,

FWIW & FYI:

I can reproduce the bug on at least 2 different systems.

During last lenny upgrade, libneon27 got replaced with libneon27-gnutls,
and

 [UPGRADE] libgnutls26 2.2.3~rc-1 -> 2.2.5-1
 [UPGRADE] libsvn1 1.4.6dfsg1-3 -> 1.4.6dfsg1-4
 [UPGRADE] subversion 1.4.6dfsg1-3 -> 1.4.6dfsg1-4

This didn't fix the bug.  It _did_ however make the workaround to set
ssl-authority-files in ~/.subversion/servers no longer valid :(

(Perhaps the urgency of this bug should get increased?)

Bye,

Joost

[signature.asc (application/pgp-signature, inline)]

Message #81 received at 474139@bugs.debian.org (full text, mbox, reply):

From: Joe Orton <joe@manyfish.co.uk>

To: Benjamin Gufler <gufler@cs.tum.edu>

Cc: Debian Bug Tracking System <474139@bugs.debian.org>

Subject: Re: libneon27-gnutls: Same problem again

Date: Fri, 25 Jul 2008 16:31:00 +0100

On Fri, May 30, 2008 at 02:42:45PM +0200, Benjamin Gufler wrote:
> Package: libneon27-gnutls
> Version: 0.28.2-2
> Followup-For: Bug #474139
> 
> Hi,
> 
> same problem on my box - when using svn, I get:
> 
> benj@xxxx:~/am$ svn up
> svn: PROPFIND request failed on '/repo/hb/src/am/trunk'
> svn: PROPFIND of '/repo/hb/src/am/trunk': SSL negotiation failed: SSL
> error: Key usage violation in certificate has been detected.
> (https://***********)

There are a number of different (and most likely unrelated) issues 
conflated in this bug report.

The "key usage violation" error can be caused by a server certificate 
offering an invalid certificate, see this thread:

http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2789

I'm not sure why this particular issue is not seen with OpenSSL; either 
OpenSSL happens to choose a different ciphersuite, or it does not 
enforce the key usage rules as strictly.  Regardless, GnuTLS is behaving 
correctly in rejecting the certificate in the cited case.

Regards, Joe

Message #86 received at 474139@bugs.debian.org (full text, mbox, reply):

From: Mazen NEIFER <mazen@sequans.com>

To: 474139@bugs.debian.org

Subject: [libneon27] SVN broken on http

Date: Mon, 01 Jun 2009 13:32:53 +0200

[Message part 1 (text/plain, inline)]

Package: libneon27
Version: 0.28.4-1
Severity: serious

--- Please enter the report below this line. ---

After the following update, I could not get http acces to svn repositories.
$svn ls http://svn.freepascal.org/svn/lazarus
svn: OPTIONS of 'http://svn.freepascal.org/svn/lazarus': could not connect to server (http://svn.freepascal.org)

I'm rising the severity of this bug to serious because it is a major issue not having svn working for me and all open source community.
If this was raised before on unstable, we won't get now testing broken.

Cheers,
Mazen,

--- System information. ---
Architecture: i386
Kernel:       Linux 2.6.26-2-686

Debian Release: squeeze/sid
  500 testing         security.debian.org 
  500 testing         ftp.fr.debian.org 

--- Package information. ---
Depends                    (Version) | Installed
====================================-+-================
libc6                       (>= 2.3) | 2.9-12
libcomerr2                 (>= 1.01) | 1.41.3-1
libgssapi-krb5-2     (>= 1.6.dfsg.2) | 1.6.dfsg.4~beta1-13
libk5crypto3         (>= 1.6.dfsg.2) | 1.6.dfsg.4~beta1-13
libkrb5-3            (>= 1.6.dfsg.2) | 1.6.dfsg.4~beta1-13
libssl0.9.8            (>= 0.9.8f-5) | 0.9.8g-16
libxml2                  (>= 2.6.27) | 2.7.3.dfsg-1
zlib1g                  (>= 1:1.1.4) | 1:1.2.3.3.dfsg-13


Package's Recommends field is empty.

Package's Suggests field is empty.

[update.log (text/x-log, attachment)]

Message #91 received at 474139@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: 474139@bugs.debian.org, 474139-subscribe@bugs.debian.org

Subject: libneon27-gnutls 0.28.4-1 breaks svn connections to etch servers

Date: Mon, 01 Jun 2009 12:52:09 -0400

[Message part 1 (text/plain, inline)]

Just a note that we're seeing this problem as well:

 https://support.mayfirst.org/ticket/2184

upgrading libneon27-gnutls to 0.28.4-1 breaks connections to an etch svn
server with this error message on the client:

 svn: OPTIONS of 'https://svn.mayfirst.org/mfpl/trunk': could not
connect to server (https://svn.mayfirst.org)

Downgrading to 0.28.2-6.1+b1 resolves the problem.

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Message #96 received at 474139@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: 474139@bugs.debian.org

Subject: failure against lenny svn servers as well

Date: Mon, 01 Jun 2009 13:52:15 -0400

[Message part 1 (text/plain, inline)]

I just tested connecting svn against a lenny svn server as well.

with libneon27-gnutls 0.28.4-1 i see the same problem.

downgrading to libneon27-gnutls_0.28.2-6.1+b1_i386.deb resolves it too.

So the problem seems like it's relevant to both etch and lenny servers.

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Message #101 received at 474139-done@bugs.debian.org (full text, mbox, reply):

From: Laszlo Boszormenyi <gcs@debian.hu>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 474139-done@bugs.debian.org, 531459-done@bugs.debian.org

Subject: Re: Bug#474139: libneon27-gnutls 0.28.4-1 breaks svn connections to etch servers

Date: Mon, 01 Jun 2009 19:42:19 +0200

Hi Daniel, fjfnaranjo,

On Mon, 2009-06-01 at 12:52 -0400, Daniel Kahn Gillmor wrote:
> upgrading libneon27-gnutls to 0.28.4-1 breaks connections to an etch svn
> server with this error message on the client:
> 
>  svn: OPTIONS of 'https://svn.mayfirst.org/mfpl/trunk': could not
> connect to server (https://svn.mayfirst.org)

.. and ...

On Mon, 2009-06-01 at 19:26 +0200, fjfnaranjo wrote:
> The last lib neon upgrade prevents subversion to connect a WebDAV svn
> server.
> 
> Downgrading the package solves the problem (but u have to download
> subversion and libsvn1).
 This is known and fixed in neon27 v0.28.4-2. Please update it from
unstable until it doesn't migrate to testing on its own.
This bug is about neon27 using SOCK_CLOEXEC socket option which is
available only in kernel v2.6.27+. If you can do it, a kernel upgrade
also sufficient.

Regards,
Laszlo/GCS

Message #106 received at 474139@bugs.debian.org (full text, mbox, reply):

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

To: 474139@bugs.debian.org, 529920@bugs.debian.org, gcs@debian.hu, 531459@bugs.debian.org

Subject: tested fix for 529920: good on i386!

Date: Mon, 01 Jun 2009 14:18:39 -0400

[Message part 1 (text/plain, inline)]

Hi Laszlo--

Thanks for the fix and the feedback!  I just built 0.28.4-2 from the
sources in unstable for i386, and it solves the problem against both
etch and lenny svn servers.  (i'm running kernel 2.6.26, so i don't have
SOCK_CLOEXEC).

Thank you very much for your quick attention to this!

Regards,

	--dkg

[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.