Debian Bug report logs - #507374
subversion: svn info fails with "SSL negotiation failed: Secure connection truncated"

version graph

Package: subversion; Maintainer for subversion is Peter Samuelson <peter@p12n.org>; Source for subversion is src:subversion.

Reported by: Niklaus Giger <niklaus.giger@member.fsf.org>

Date: Sun, 30 Nov 2008 17:18:06 UTC

Severity: important

Found in versions subversion/1.5.4dfsg1-1, subversion/1.6.3dfsg-1, subversion/1.6.17dfsg-3

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Peter Samuelson <peter@p12n.org>:
Bug#507374; Package subversion. (Sun, 30 Nov 2008 17:18:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niklaus Giger <niklaus.giger@member.fsf.org>:
New Bug report received and forwarded. Copy sent to Peter Samuelson <peter@p12n.org>. (Sun, 30 Nov 2008 17:18:09 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Niklaus Giger <niklaus.giger@member.fsf.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Cc: niklaus.giger@netstal.com
Subject: subversion: svn info fails with "SSL negotiation failed: Secure connection truncated"
Date: Sun, 30 Nov 2008 18:16:25 +0100
Package: subversion
Version: 1.5.4dfsg1-1
Severity: important


Using svn version 1.4.2 from etch works without problem, e.g.
svn info https://svnte.netstal.com/svn/te/ --username=nosuchUser
Authentication realm: <https://svnte.netstal.com:443> SVN TE Repo
WebAccess. Enter your eDir UID/PW

However upgrading to 1.5.x takes a long time until the timeout expires
giving me the following error:
svn info https://svnte.netstal.com/svn/te/ --username=nosuchUser
Authentication realm: <https://svnte.netstal.com:443> SVN TE Repo
WebAccess. Enter your eDir UID/PW

However other https repositories do not show this behaviour.
I have no clue about it and could not find anything sensible.
The best hint is found inside Subversion FAQ:
http://subversion.tigris.org/faq.html#ssl-negotiation-error
The difference is that a info does not involve a lot of data.

I am co-administrating the above repository, therefore it would
be possible to do any tracing/logging you would like. (Please
use niklaus.giger@netstal.com if you want me to contact during
work hours.)

Downgrading to svn 1.4.2 solved partly my problem, but as we
need mergeinfo capable clients for commit access I cannot work
anymore with a pre 1.5.x clients.

Best regards

Niklaus

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 
'experimental')
Architecture: powerpc (ppc)

Kernel: Linux 2.6.15.7-odw
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages subversion depends on:
ii  libapr1                   1.2.12-2       The Apache Portable Runtime 
Librar
ii  libc6                     2.7-15         GNU C Library: Shared libraries
ii  libsasl2-2                2.1.22.dfsg1-8 Authentication abstraction 
library
ii  libsvn1                   1.5.4dfsg1-1   Shared libraries used by 
Subversio

subversion recommends no packages.

-- no debconf information


Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#507374; Package subversion. (Mon, 01 Dec 2008 08:12:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Peter Samuelson <peter@p12n.org>:
Extra info received and forwarded to list. (Mon, 01 Dec 2008 08:12:02 GMT) Full text and rfc822 format available.

Message #10 received at 507374@bugs.debian.org (full text, mbox):

From: Peter Samuelson <peter@p12n.org>
To: Niklaus Giger <niklaus.giger@member.fsf.org>, 507374@bugs.debian.org
Cc: niklaus.giger@netstal.com
Subject: Re: Bug#507374: subversion: svn info fails with "SSL negotiation failed: Secure connection truncated"
Date: Mon, 1 Dec 2008 02:09:47 -0600
[Message part 1 (text/plain, inline)]
[Niklaus Giger]
> However upgrading to 1.5.x takes a long time until the timeout expires
> giving me the following error:
> svn info https://svnte.netstal.com/svn/te/ --username=nosuchUser
> Authentication realm: <https://svnte.netstal.com:443> SVN TE Repo
> WebAccess. Enter your eDir UID/PW

Subversion 1.5 ships with two http/https backend libraries that use two
different WebDAV libraries, neon and serf.  Try the following in
~/.subversion/servers:

  [groups]
  foobar = svnte.netstal.com

  [foobar]
  http-library = serf

(Of course "foobar" can be any label.)  The serf backend prompts me for
a client certificate.  This may or may not be what you need, but at
least it is different from what the neon backend does.
-- 
Peter Samuelson | org-tld!p12n!peter | http://p12n.org/
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Samuelson <peter@p12n.org>:
Bug#507374; Package subversion. (Mon, 01 Dec 2008 18:51:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Niklaus Giger <niklaus.giger@member.fsf.org>:
Extra info received and forwarded to list. Copy sent to Peter Samuelson <peter@p12n.org>. (Mon, 01 Dec 2008 18:51:06 GMT) Full text and rfc822 format available.

Message #15 received at 507374@bugs.debian.org (full text, mbox):

From: Niklaus Giger <niklaus.giger@member.fsf.org>
To: Peter Samuelson <peter@p12n.org>
Cc: 507374@bugs.debian.org, niklaus.giger@netstal.com
Subject: Re: Bug#507374: subversion: svn info fails with "SSL negotiation failed: Secure connection truncated"
Date: Mon, 1 Dec 2008 19:47:50 +0100
Hi Peter

Nice to have a feedback in such a short time. Many thanks for your work 
maintaining this very useful Debian package!

Am Montag 01 Dezember 2008 09.09:47 schrieb Peter Samuelson:
> [Niklaus Giger]
>
> > However upgrading to 1.5.x takes a long time until the timeout expires
> > giving me the following error:
> > svn info https://svnte.netstal.com/svn/te/ --username=nosuchUser
> > Authentication realm: <https://svnte.netstal.com:443> SVN TE Repo
> > WebAccess. Enter your eDir UID/PW
>
> Subversion 1.5 ships with two http/https backend libraries that use two
> different WebDAV libraries, neon and serf.  Try the following in
> ~/.subversion/servers:
>
>   [groups]
>   foobar = svnte.netstal.com
>
>   [foobar]
>   http-library = serf
>
Thanks a lot for your tip. This really solved my problem!
 
> (Of course "foobar" can be any label.)  The serf backend prompts me for
> a client certificate.  This may or may not be what you need, but at
> least it is different from what the neon backend does.
Indeed, it must prompt you for a certificate as we require one for 
authentification.

Best regards
 
Niklaus






Information forwarded to debian-bugs-dist@lists.debian.org, Peter Samuelson <peter@p12n.org>:
Bug#507374; Package subversion. (Mon, 25 May 2009 22:12:18 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yan Morin <progysm@gmail.com>:
Extra info received and forwarded to list. Copy sent to Peter Samuelson <peter@p12n.org>. (Mon, 25 May 2009 22:12:18 GMT) Full text and rfc822 format available.

Message #20 received at 507374@bugs.debian.org (full text, mbox):

From: Yan Morin <progysm@gmail.com>
To: 507374@bugs.debian.org
Subject: Impossible de se connecter au serveur
Date: Mon, 25 May 2009 17:35:22 -0400
[Message part 1 (text/plain, inline)]
Hi,

I've got the same problem with 1.5.6 and using the serf as http-library 
"solution" works too.

Error message (in french in my case):
svn: OPTIONS de 'https://svn.server.com/trunk/project': Impossible de se 
connecter au serveur (https://svn.server.com)

Thanks

-- 
Yan Morin
Consultant en Logiciel Libre de Progysm
progysm@gmail.com
http://www.progysm.com/
819 499-0616


[progysm.vcf (text/x-vcard, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, support@campbell-lange.net, Peter Samuelson <peter@p12n.org>:
Bug#507374; Package subversion. (Sat, 07 Nov 2009 22:03:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Rory Campbell-Lange <rory@campbell-lange.net>:
Extra info received and forwarded to list. Copy sent to support@campbell-lange.net, Peter Samuelson <peter@p12n.org>. (Sat, 07 Nov 2009 22:03:05 GMT) Full text and rfc822 format available.

Message #25 received at 507374@bugs.debian.org (full text, mbox):

From: Rory Campbell-Lange <rory@campbell-lange.net>
To: Debian Bug Tracking System <507374@bugs.debian.org>
Subject: subversion: [libneon27-gnutls] fails with commercial certificate
Date: Sat, 07 Nov 2009 21:40:23 +0000
Package: subversion
Version: 1.6.3dfsg-1
Severity: normal

Further to the issues already reported our commercial certificate is
reporting an svn error.

svn: OPTIONS of 'https://campbell-lange.net:4343/<reposname>': 
Certificate verification error: signed using insecure algorithm
(https://campbell-lange.net:4343)

You can check this error at https://campbell-lange.net:4343/ (which
Firefox accepts as a valid certificate).

I would be grateful for more information.

Rory


-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.30-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Shell: /bin/sh linked to /bin/bash

Versions of packages subversion depends on:
ii  libapr1                   1.3.8-1        The Apache Portable Runtime Librar
ii  libc6                     2.9-25         GNU C Library: Shared libraries
ii  libsasl2-2                2.1.23.dfsg1-2 Cyrus SASL - authentication abstra
ii  libsvn1                   1.6.3dfsg-1    Shared libraries used by Subversio

subversion recommends no packages.

Versions of packages subversion suggests:
pn  db4.7-util                   <none>      (no description available)
ii  patch                        2.5.9-5     Apply a diff file to an original
ii  subversion-tools             1.6.3dfsg-1 Assorted tools related to Subversi

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Peter Samuelson <peter@p12n.org>:
Bug#507374; Package subversion. (Sat, 07 Nov 2009 23:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Laszlo Boszormenyi <gcs@debian.hu>:
Extra info received and forwarded to list. Copy sent to Peter Samuelson <peter@p12n.org>. (Sat, 07 Nov 2009 23:51:03 GMT) Full text and rfc822 format available.

Message #30 received at 507374@bugs.debian.org (full text, mbox):

From: Laszlo Boszormenyi <gcs@debian.hu>
To: Rory Campbell-Lange <rory@campbell-lange.net>, 507374@bugs.debian.org
Subject: Re: Bug#507374: subversion: [libneon27-gnutls] fails with commercial certificate
Date: Sun, 08 Nov 2009 00:41:39 +0100
Hi Rory,

On Sat, 2009-11-07 at 21:40 +0000, Rory Campbell-Lange wrote:
> Further to the issues already reported our commercial certificate is
> reporting an svn error.
> 
> svn: OPTIONS of 'https://campbell-lange.net:4343/<reposname>': 
> Certificate verification error: signed using insecure algorithm
> (https://campbell-lange.net:4343)
> 
> You can check this error at https://campbell-lange.net:4343/ (which
> Firefox accepts as a valid certificate).
> 
> I would be grateful for more information.
 Neon just output the result of the GNU TLS connection error as defined
in its documentation[1]:
GNUTLS_CERT_INSECURE_ALGORITHM:
        The certificate was signed using an insecure algorithm such as
        MD2 or MD5. These algorithms have been broken and should not be
        trusted.

Indeed, your certificate is signed with MD5; see "Certificate Signature
Algorithm" part of your certificate, it says "PKCS #1 MD5 With RSA
Encryption".

Recent conversion on mailing list of Subversion[2] states that it
doesn't have an option to ask Neon/GNU TLS to ignore this error.

Can you ask for a new certificate signed with a more secure algorithm?

Regards,
Laszlo/GCS
[1] http://www.gnu.org/software/gnutls/manual/html_node/Verifying-X_002e509-certificate-paths.html
[2] http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&viewType=browseAll&dsMessageId=2401276





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#507374; Package subversion. (Sun, 08 Nov 2009 00:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Peter Samuelson <peter@p12n.org>:
Extra info received and forwarded to list. (Sun, 08 Nov 2009 00:51:03 GMT) Full text and rfc822 format available.

Message #35 received at 507374@bugs.debian.org (full text, mbox):

From: Peter Samuelson <peter@p12n.org>
To: 507374@bugs.debian.org
Cc: Rory Campbell-Lange <rory@campbell-lange.net>
Subject: Re: Bug#507374: subversion: [libneon27-gnutls] fails with commercial certificate
Date: Sat, 7 Nov 2009 18:39:22 -0600
[Laszlo Boszormenyi]
> GNUTLS_CERT_INSECURE_ALGORITHM:
>         The certificate was signed using an insecure algorithm such as
>         MD2 or MD5. These algorithms have been broken and should not be
>         trusted.

Thanks for the followup, Laszlo.

Rory, if you read /usr/share/doc/libgnutls26/changelog.Debian.gz,
you'll see this happened in gnutls 2.4.2-5.  And, as Laszlo said,
there isn't much Subversion can do about it.

Thanks,
Peter




Information forwarded to debian-bugs-dist@lists.debian.org, Peter Samuelson <peter@p12n.org>:
Bug#507374; Package subversion. (Sun, 08 Nov 2009 15:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Rory Campbell-Lange <rory@campbell-lange.net>:
Extra info received and forwarded to list. Copy sent to Peter Samuelson <peter@p12n.org>. (Sun, 08 Nov 2009 15:57:03 GMT) Full text and rfc822 format available.

Message #40 received at 507374@bugs.debian.org (full text, mbox):

From: Rory Campbell-Lange <rory@campbell-lange.net>
To: Peter Samuelson <peter@p12n.org>
Cc: 507374@bugs.debian.org
Subject: Re: Bug#507374: subversion: [libneon27-gnutls] fails with commercial certificate
Date: Sun, 8 Nov 2009 15:55:00 +0000
On 07/11/09, Peter Samuelson (peter@p12n.org) wrote:
> [Laszlo Boszormenyi]
> > GNUTLS_CERT_INSECURE_ALGORITHM:
> >         The certificate was signed using an insecure algorithm such as
> >         MD2 or MD5. These algorithms have been broken and should not be
> >         trusted.
> 
> Thanks for the followup, Laszlo.
> 
> Rory, if you read /usr/share/doc/libgnutls26/changelog.Debian.gz,
> you'll see this happened in gnutls 2.4.2-5.  And, as Laszlo said,
> there isn't much Subversion can do about it.

Hi Peter, Laszlo

We'll look into this with the certificate provider

Thanks
Rory




Information forwarded to debian-bugs-dist@lists.debian.org, Peter Samuelson <peter@p12n.org>:
Bug#507374; Package subversion. (Fri, 29 Jan 2010 00:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ivan Havlicek <ivan@modulix.org>:
Extra info received and forwarded to list. Copy sent to Peter Samuelson <peter@p12n.org>. (Fri, 29 Jan 2010 00:51:03 GMT) Full text and rfc822 format available.

Message #45 received at 507374@bugs.debian.org (full text, mbox):

From: Ivan Havlicek <ivan@modulix.org>
To: 507374@bugs.debian.org
Subject: Some news about this ?
Date: Fri, 29 Jan 2010 01:49:18 +0100
[Message part 1 (text/plain, inline)]
Hi,

As I use a commercial cert too with no more success from my last
gnutls upgrade, want to know if it isn't really a bug before buy new one.

There are my cert properties :

    Data:
        Version: 3 (0x2)
        Serial Number: 606869 (0x94295)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global
eBusiness CA-1
        Validity
            Not Before: Aug 28 10:22:07 2008 GMT
            Not After : Aug 28 10:22:07 2013 GMT
...
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
...
        X509v3 extensions:
            X509v3 Key Usage: critical
            Digital Signature, Non Repudiation, Key Encipherment, Data
Encipherment
            X509v3 Subject Key Identifier:
            5F:6A:67:7F:BC:BF:7D:B4:C0:2C:27:EB:67:E1:93:5E:AA:52:FE:DC
            X509v3 CRL Distribution Points:
            URI:http://crl.geotrust.com/crls/globalca1.crl

            X509v3 Authority Key Identifier:

keyid:BE:A8:A0:74:72:50:6B:44:B7:C9:23:D8:FB:A8:FF:B3:57:6B:68:6C

            X509v3 Extended Key Usage:
            TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
            CA:FALSE
    Signature Algorithm: md5WithRSAEncryption

Thx for verify (? geotrust delivers bad certs ?)
-- 
                                                              Ivan
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Samuelson <peter@p12n.org>:
Bug#507374; Package subversion. (Wed, 25 Apr 2012 21:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Peter T. Breuer" <ptb@inv.it.uc3m.es>:
Extra info received and forwarded to list. Copy sent to Peter Samuelson <peter@p12n.org>. (Wed, 25 Apr 2012 21:27:04 GMT) Full text and rfc822 format available.

Message #50 received at 507374@bugs.debian.org (full text, mbox):

From: "Peter T. Breuer" <ptb@inv.it.uc3m.es>
To: Debian Bug Tracking System <507374@bugs.debian.org>
Subject: subversion: My svn cured by preloading libneon27 to replace libneon27-gnutls
Date: Wed, 25 Apr 2012 23:05:41 +0200
Package: subversion
Version: 1.6.17dfsg-3
Followup-For: Bug #507374

Dear Maintainer,

After an upgrade recently (say a month ago), svn to plain vanilla
sourceforge.net repositories stopped with

  SSL handshake failed: Secure connection truncated.

Now, I already knew what to do about this since I tracked down the same
symptom some months before (yes, real debugging) to a mistaken ssl
connect, and I'd cured it then by figuring out that libneon27 should be
preloaded clientside in order to displace libneon27-gnutls, which seemed
not to be real compatible with whatever ssl sourceforge are using.
Recompiling the client against libneon27 also made the problem
disappear back then.

However, the problem had gone away about march 2011 with successive
upgrades (I'd encountered it first in january).  So I'd ceased using my
preload workaround.

But the connect problem came back after recent upgrades.

Cured it the same way - reestablished my shell alias for svn :

   # fix svn to not use libneon-gnutls
   alias svn '( setenv LD_PRELOAD /usr/lib/libneon.so.27; \svn \!* )'

(tcsh).

Now, however, I've got back home from my travels and found that
the unaliased svn still seems to be OK.  Both are fine.  Perhaps it only
went wrong when I used my telephone as a wireless hub?  That was
slowwwww ...  perhaps there's a timeout in the libneon27-gnutls code
that is much tighter than the libneon27 timeout? Or perhaps it has to
work just once to fix everything?

When I start travelling again I'll try it both ways.



-- System Information:
Debian Release: wheezy/sid
  APT prefers proposed-updates
  APT policy: (500, 'proposed-updates'), (500, 'testing'), (100, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.39.4 (PREEMPT)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Shell: /bin/sh linked to /bin/dash

Versions of packages subversion depends on:
ii  libapr1     1.4.6-1
ii  libc6       2.13-27
ii  libsasl2-2  2.1.25.dfsg1-4
ii  libsvn1     1.6.17dfsg-3

subversion recommends no packages.

Versions of packages subversion suggests:
ii  db4.8-util        <none>
ii  patch             2.6.1-3
ii  subversion-tools  1.6.17dfsg-3

OTHERS
ii  libneon27      0.29.6-3 


-- no debconf information




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 13:02:35 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.