Context Navigation

← Previous Ticket
Next Ticket →

#16 reopened defect

svn commit with HTTPSでエラーが起こる

Reported by:	mitty	Owned by:	mitty
Priority:	blocker	Component:	configuration
Keywords:		Cc:

Description (last modified by mitty)

error message
1. apache2 access log
test environment
1. 発生条件

error message

svn --no-auth-cache --username mitty ci -m " * mod"

(snip)
Sending        trunk/ywqR5wC5KT
Sending        trunk/yxFQsEQHJU
svn: Commit failed (details follow):
svn: CHECKOUT of '/svn/failtest/!svn/ver/2/trunk/yxFQsEQHJU': SSL negotiation failed: SSL error: parse tlsext (https://lab.mitty.jp)

svn --no-auth-cache --username mitty ci -m " * remove"

(snip)
Deleting       trunk/u1fyI4QKQe
Deleting       trunk/uqzHb0GBV2
svn: Commit failed (details follow):
svn: DELETE of '/svn/failtest/!svn/wrk/518a050a-6d10-49ab-9c84-9990aa5a6b33/trunk/uqzHb0GBV2': SSL negotiation failed: SSL error: parse tlsext (https://lab.mitty.jp)

svn --no-auth-cache --username mitty ci -m " * remove"

(snip)
Adding         branches/GDIovcGJtI
Adding         branches/I6yZir39ZN
svn: Commit failed (details follow):
svn: PROPFIND of '/svn/failtest/trunk/I6yZir39ZN': SSL negotiation failed: SSL error: parse tlsext (https://lab.mitty.jp)

svn --no-auth-cache --username mitty ci -m " * remove"

(snip)
Adding         branches/zEyZMfQaE4
Adding         branches/zYpc5NR3SF
Transmitting file data .......svn: Commit failed (details follow):
svn: PUT of '/svn/failtest/!svn/wrk/d4ef143f-d21a-49bf-821a-0aaae744ec83/branches/u10DxQri4u': SSL negotiation failed: SSL error: parse tlsext (https://lab.mitty.jp)

svn --no-auth-cache --username mitty up

(snip)
A    branches/b5oW4cSz2H
A    branches/kJFJTQ7ABX
svn: PROPFIND of '/svn/failtest/trunk/JMHgjHhETC': SSL negotiation failed: SSL error: parse tlsext (https://lab.mitty.jp)

apache2 access log

/var/log/apache2/*_20101021_log

130.158.XXX.YYY - - [21/Oct/2010:15:00:56 +0900] "PROPFIND /svn/failtest/trunk/b5oW4cSz2H HTTP/1.1" 207 452 "-" "SVN/1.6.5 (r38866) neon/0.28.3"
130.158.XXX.YYY - - [21/Oct/2010:15:00:56 +0900] "PROPFIND /svn/failtest/!svn/vcc/default HTTP/1.1" 207 148 "-" "SVN/1.6.5 (r38866) neon/0.28.3"
130.158.XXX.YYY - - [21/Oct/2010:15:00:56 +0900] "PROPFIND /svn/failtest/!svn/bc/4/trunk/b5oW4cSz2H HTTP/1.1" 207 436 "-" "SVN/1.6.5 (r38866) neon/0.28.3"
130.158.XXX.YYY - - [21/Oct/2010:15:00:56 +0900] "GET /svn/failtest/!svn/bc/4/trunk/b5oW4cSz2H HTTP/1.1" 200 244 "-" "SVN/1.6.5 (r38866) neon/0.28.3"
130.158.XXX.YYY - - [21/Oct/2010:15:00:56 +0900] "PROPFIND /svn/failtest/!svn/bc/4/trunk/b5oW4cSz2H HTTP/1.1" 207 804 "-" "SVN/1.6.5 (r38866) neon/0.28.3"
130.158.XXX.YYY - - [21/Oct/2010:15:00:56 +0900] "PROPFIND /svn/failtest/trunk/kJFJTQ7ABX HTTP/1.1" 207 500 "-" "SVN/1.6.5 (r38866) neon/0.28.3"
130.158.XXX.YYY - - [21/Oct/2010:15:00:56 +0900] "PROPFIND /svn/failtest/!svn/vcc/default HTTP/1.1" 207 148 "-" "SVN/1.6.5 (r38866) neon/0.28.3"
130.158.XXX.YYY - - [21/Oct/2010:15:00:56 +0900] "PROPFIND /svn/failtest/!svn/bc/4/trunk/kJFJTQ7ABX HTTP/1.1" 207 452 "-" "SVN/1.6.5 (r38866) neon/0.28.3"
130.158.XXX.YYY - - [21/Oct/2010:15:00:56 +0900] "GET /svn/failtest/!svn/bc/4/trunk/kJFJTQ7ABX HTTP/1.1" 200 244 "-" "SVN/1.6.5 (r38866) neon/0.28.3"
130.158.XXX.YYY - - [21/Oct/2010:15:00:56 +0900] "PROPFIND /svn/failtest/!svn/bc/4/trunk/kJFJTQ7ABX HTTP/1.1" 207 836 "-" "SVN/1.6.5 (r38866) neon/0.28.3"

error logには出力はない

test environment

apache2 -V

Server version: Apache/2.2.14 (Ubuntu)
Server built:   Sep 28 2010 12:54:21
Server's Module Magic Number: 20051115:23
Server loaded:  APR 1.3.8, APR-Util 1.3.9
Compiled using: APR 1.3.8, APR-Util 1.3.9
Architecture:   64-bit
Server MPM:     Worker
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/worker"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT=""
 -D SUEXEC_BIN="/usr/lib/apache2/suexec"
 -D DEFAULT_PIDLOG="/var/run/apache2.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"
 -D SERVER_CONFIG_FILE="/etc/apache2/apache2.conf"

libapache2-svn
```
Version: 1.6.6dfsg-2ubuntu1
```

svn --version

svn, version 1.6.5 (r38866)
   compiled Oct 16 2009, 02:54:10

Copyright (C) 2000-2009 CollabNet.
Subversion is open source software, see http://subversion.tigris.org/
This product includes software developed by CollabNet (http://www.Collab.Net/).

The following repository access (RA) modules are available:

* ra_neon : Module for accessing a repository via WebDAV protocol using Neon.
  - handles 'http' scheme
  - handles 'https' scheme
* ra_svn : Module for accessing a repository using the svn network protocol.
  - handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
  - handles 'file' scheme

on Mac OS X Server

テストファイルの生成にはmakerandom.plを使用

発生条件

一つ二つのファイルによるsvn commitやsvn deleteなどでは発生しない
大量のファイルをadd,copy,move,removeなどすると起こる
SVN/1.6.5 (r38866) neon/0.28.3 on MacOS X以外では発生を確認できず。
1. SVN/1.6.6 (r40053) neon/0.29.0 on Ubuntu lucid x64
2. SVN/1.6.13 (r1002816) neon/0.29.4 from CollabNet on Windows 7 x64
3. SVN/1.6.13 (r1002816)/TortoiseSVN-1.6.11.20210 neon/0.29.4 on Windows 7 x64

Change History (5)

comment:1 Changed 14 years ago by mitty

Description modified (diff)

comment:2 Changed 14 years ago by mitty

SSL error: parse tlsext
- That looks like it is only part of the actual error code. I suspect it is because the server doesn't support secure renegotiation. You can check this by doing:
  - openssl s_client -connect xxx.org:443
- しかし、本件では当てはまらない模様
  - openssl s_client -connect localhost:443
```
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
```

comment:3 Changed 14 years ago by mitty

"SSL error parse tlsext" on large commit to SVN via Apache, Gentoo - Server Fault
- It is suggested that downgrading to 2.2.11 may fix it, as well as setting SSLProtocol -ALL +SSLv2 +SSLv3 in your Apache config.
- After reading the http-dev thread about this issue, archived at http://www.gossamer-threads.com/lists/apache/dev/375633 , it seems this issue is caused by a bug in the client-side OpenSSL library in regards to how SSL Tickets / IDs are handled, which explains why the error does not occur immediately, but takes a few seconds to minutes.

Last edited 14 years ago by mitty (previous) (diff)

comment:4 follow-up: ↓ 5 Changed 14 years ago by mitty

Owner set to mitty
Status changed from new to deploy

subversionのupdateによる解決
- wiki:Dev/build/subversion#buildonMacOSX

comment:5 in reply to: ↑ 4 Changed 13 years ago by mitty

Status changed from deploy to reopened

Replying to mitty:

subversionのupdateによる解決

依然として「SSL negotiation failed: SSL error: parse tlsext」が起きるので、直っていない
svn自体ではなくてopensslのversionを上げる必要がある？

Note: See TracTickets for help on using tickets.

Download in other formats: