Debian Bug report logs - #498351
libneon27-gnutls: latest upgrades broke svn https auth

Package: libneon27-gnutls; Maintainer for libneon27-gnutls is Laszlo Boszormenyi (GCS) <gcs@debian.org>; Source for libneon27-gnutls is src:neon27 (PTS, buildd, popcon).

Reported by: Yves-Alexis <corsac@debian.org>

Date: Tue, 9 Sep 2008 11:27:01 UTC

Severity: important

Found in version neon27/0.28.2-5

Done: Yves-Alexis Perez <corsac@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#498351; Package libneon27-gnutls. (full text, mbox, link).

Acknowledgement sent to Yves-Alexis <corsac@debian.org>:
New Bug report received and forwarded. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: libneon27-gnutls
Version: 0.28.2-5
Severity: important

Hi,

I just got back from holidays, sync'ed our internal mirror, and done an
upgrade. When upgrading libneon27, it broke auth to our internal svn server,
using https.

It was working perfectly fine with -3, now with -5 svn keeps asking
username/password.

Adding --verbose to svn doesn't help. I'll try to see if I can debug with neon
directly, but I'm not sure how to do that.

Cheers,
--
Yves-Alexis Perez


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.24-etchnhalf.1-amd64
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)

Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#498351; Package libneon27-gnutls. (full text, mbox, link).

Acknowledgement sent to Yves-Alexis <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>. (full text, mbox, link).

Message #10 received at 498351@bugs.debian.org (full text, mbox, reply):

On Tue, Sep 09, 2008 at 01:25:56PM +0200, Yves-Alexis wrote:
> -- System Information:
> Debian Release: 4.0
>   APT prefers stable
>   APT policy: (500, 'stable')
> Architecture: amd64 (x86_64)
> Shell:  /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.24-etchnhalf.1-amd64
> Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)

I redacted this bug report on an etch box outside, because I have no net
access on the machine I'm testing on. But it runs sid, so don't pay
attention to that.

Cheers,
-- 
Yves-Alexis

Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#498351; Package libneon27-gnutls. (full text, mbox, link).

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>. (full text, mbox, link).

Message #15 received at 498351@bugs.debian.org (full text, mbox, reply):

And I checked that downgrading fixes the issue. I could only downgrade
to -2 because I don't have -3, but I guess the problem really lies in
-4.

Cheers,
-- 
Yves-Alexis

Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#498351; Package libneon27-gnutls. (full text, mbox, link).

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>. (full text, mbox, link).

Message #20 received at 498351@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hem?

is there any news for this? It's quite disruptive…

Cheers,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#498351; Package libneon27-gnutls. (Thu, 16 Oct 2008 13:30:02 GMT) (full text, mbox, link).

Acknowledgement sent to Joe Orton <jorton@redhat.com>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>. (Thu, 16 Oct 2008 13:30:02 GMT) (full text, mbox, link).

Message #25 received at 498351@bugs.debian.org (full text, mbox, reply):

On Tue, Sep 09, 2008 at 01:25:56PM +0200, Yves-Alexis wrote:
> It was working perfectly fine with -3, now with -5 svn keeps asking
> username/password.
> 
> Adding --verbose to svn doesn't help. I'll try to see if I can debug with neon
> directly, but I'm not sure how to do that.

Can you add:

[global]
neon-debug-mask = 511

to your ~/.subversion/servers

to get debug info out of neon, and send me the output?

Regards, Joe

Acknowledgement sent to Yves-Alexis Perez <corsac@debian.org>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>. (Thu, 16 Oct 2008 14:18:02 GMT) (full text, mbox, link).

Message #30 received at 498351@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Thu, Oct 16, 2008 at 01:56:02PM +0100, Joe Orton wrote:
> On Tue, Sep 09, 2008 at 01:25:56PM +0200, Yves-Alexis wrote:
> > It was working perfectly fine with -3, now with -5 svn keeps asking
> > username/password.
> > 
> > Adding --verbose to svn doesn't help. I'll try to see if I can debug with neon
> > directly, but I'm not sure how to do that.
> 
> Can you add:
> 
> [global]
> neon-debug-mask = 511
> 
> to your ~/.subversion/servers
> 
> to get debug info out of neon, and send me the output?

Attached.
-- 
Yves-Alexis

[svn-debug.txt (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
Bug#498351; Package libneon27-gnutls. (Fri, 17 Oct 2008 08:24:06 GMT) (full text, mbox, link).

Acknowledgement sent to Joe Orton <joe@manyfish.co.uk>:
Extra info received and forwarded to list. Copy sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>. (Fri, 17 Oct 2008 08:24:06 GMT) (full text, mbox, link).

Message #35 received at 498351@bugs.debian.org (full text, mbox, reply):

On Thu, Oct 16, 2008 at 04:10:29PM +0200, Yves-Alexis Perez wrote:
...
> [status-line] < HTTP/1.1 401 Authorization Required
> [hdr] Date: Thu, 16 Oct 2008 13:56:07 GMT
> Header Name: [date], Value: [Thu, 16 Oct 2008 13:56:07 GMT]
> [hdr] Server: Apache
> Header Name: [server], Value: [Apache]
> [hdr] WWW-Authenticate: Digest realm="Subversion@gutenberg", nonce="FRrgNV9ZBAA=624c95147ca7595edf74afc01d90934d51efa2f5", algorithm=MD5, domain="svnserver.tld/wsvn/ wsvn/", qop="auth"
> Header Name: [www-authenticate], Value: [Digest 
> realm="Subversion@gutenberg", 
> nonce="FRrgNV9ZBAA=624c95147ca7595edf74afc01d90934d51efa2f5", 
> algorithm=MD5, domain="svnserver.tld/wsvn/ wsvn/", qop="auth"]

The problem is the domain parameter which the server is sending; it's 
invalid and excludes the /svn repository which you're trying to use, so 
neon refuses to use Digest auth for that path.  "svnserver.tld/wsvn/" 
does not mean what you might expect, either, it would resolve to a URI 
of e.g http://blah/svnserver.tld/wsvn/, not http://svnserver.tld/wsvn/

(The domain parameter is controlled by the AuthDigestDomain directive in 
the server config)

I might have to change neon to ignore the domain parameter in the case 
where it excludes the current request-URI, since that seems to be 
clearly a config error.

Regards, Joe

Reply sent to Yves-Alexis Perez <corsac@debian.org>:
You have taken responsibility. (Fri, 17 Oct 2008 08:51:06 GMT) (full text, mbox, link).

Notification sent to Yves-Alexis <corsac@debian.org>:
Bug acknowledged by developer. (Fri, 17 Oct 2008 08:51:06 GMT) (full text, mbox, link).

Message #40 received at 498351-done@bugs.debian.org (full text, mbox, reply):

On Fri, Oct 17, 2008 at 09:22:13AM +0100, Joe Orton wrote:
> The problem is the domain parameter which the server is sending; it's 
> invalid and excludes the /svn repository which you're trying to use, so 
> neon refuses to use Digest auth for that path.  "svnserver.tld/wsvn/" 
> does not mean what you might expect, either, it would resolve to a URI 
> of e.g http://blah/svnserver.tld/wsvn/, not http://svnserver.tld/wsvn/
> 
> (The domain parameter is controlled by the AuthDigestDomain directive in 
> the server config)

Thanks. That completely fix the problem. Indeed we had a <Location />
which was pointing to websvn, with a different AuthDigestDomain
directive.
> 
> I might have to change neon to ignore the domain parameter in the case 
> where it excludes the current request-URI, since that seems to be 
> clearly a config error.

Thanks so much, it was really blocking for us, and not to easy to see
the problem (especially since it worked in previous versions :) ).

I'm closing the bug for now.

Cheers,
-- 
Yves-Alexis

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 15 Nov 2008 07:26:33 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Jan 11 06:33:42 2018; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #498351 libneon27-gnutls: latest upgrades broke svn https auth

Debian Bug report logs - #498351
libneon27-gnutls: latest upgrades broke svn https auth