Bugzilla – Bug 1222854
https subversion checkout fails
Last modified: 2024-06-27 09:23:52 UTC
Fresh install of current beta, with just "subversion" package added. At the time of writing that is subversion-1.14.1-150400.3.8. Trying to checkout any https url fails. For example "svn co https://opensuse.org" (yes, I know there is no repository there, there doesn't need to be), the command never returns. tcpdump shows lots of activity on port 443, but the TLS connection never establishes. Other programs (w3m for example are able to establish TLS connection without problem). My expected result with that URL, would be: Redirecting to URL 'https://www.opensuse.org': svn: E170013: Unable to connect to a repository at URL 'https://www.opensuse.org' svn: E175003: The server at 'https://www.opensuse.org' does not support the HTTP/DAV protocol
SUSE:SLE-15-SP4:Update/subversion
Reproduced on Leap 15.6 beta only
Hi all, * it's all subversion commands that fail, not only "checkout". Also affected: "update", "list", ... * a "strace -f -e trace=all svn up" shows that the command is stuck in an infinite loop: . read /etc/crypto-policies/back-ends/openssl.config . read /var/lib/ca-certificates/ca-bundle.pem . connect to port 443 of subversion server . try to communicate with the remote . and restart * Leap 15.5 is not affected, Leap 15.6 is. The two files above have not changed between both versions, from what I can see. * on the server side, I did not spot something relevant in Apache's logs * it was working fine until recently in Leap 15.6 I am available in slack for testing if needed. Hope that helps,
I updated to libserf-1-1-1.3.9-150600.18.3.2.x86_64, it does not help.
I set up a simple web server using: openssl s_server -key privkey.pem -cert fullchain.pem -accept 443 -www -msg When subversion from 15.5 connects I get: ACCEPT <<< ??? [length 0005] 16 03 01 02 00 <<< TLS 1.3, Handshake [length 0200], ClientHello ... When subversion from 15.6 connects I get: ACCEPT <<< ??? [length 0005] 01 00 01 fc 03 139678608217920:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332: <<< ??? [length 0005] 01 00 01 fc 03 139678608217920:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332: <<< ??? [length 0005] 01 00 01 fc 03 139678608217920:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
Looking into this it appears that the first 5 bytes of the TLS connection are simply missing when using 15.6: On 15.5: writev(5, [{iov_base="\26\3\1\2\0\1\0\1\374\3\3j\231f\312\376_\20U\2\26\212\241\37\235\264\211\236\245F2,"..., iov_len=517}], 1) = 517 On 15.6: writev(4, [{iov_base="\1\0\1\374\3\3\10y\334\204\360\344\354l\26jd\211GTk\375a\327\213Z\223\31\300\213\267\321"..., iov_len=512}], 1) = 512 That is unfortunately as far as I can go in diagnosing this.
Ok, not quite as far as I can go. After applying libserf-1-1-1.3.10-1.5.x86_64.rpm from Tumbleweed repo (and it's dependencies - libgdbm6-1.23-3.3.x86_64.rpm, libldap2-2.6.7-2.1.x86_64.rpm), subversion is now working for me.
Hello Jonathan and Eric, thank you for your report and time to debug this issue. I checked libserf and version 1.3.10 adds support for openSSL-3, which is the default version used to build packages on Leap 15.6. I am currently working to update libserf to 1.3.10 in Leap 15.6, I'll keep you updated.
Right, on Leap 15.6 (not Tumbleweed) I got libserf-1-1-1.3.9-150600.18.3.2.x86_64 this morning, which is not the version with the fix. I guess I just have to wait then :). Thanks Danilo for your efforts in fixing this.
Using the Tumbleweed package and dependencies in not recommended. Use the one built for Leap 15.6 specifically: devel:tools:scm:svn/libserf devel:tools:scm:svn/subversion
*** Bug 1226399 has been marked as a duplicate of this bug. ***
Henryk noted in bug 1226399 > There is terse description of this problem (even mentioning libserf) here: > https://github.com/openssl/openssl/issues/14595#issuecomment-801969560 He attached a patch. Btw I checked (my) upstream serf and this change in not in there either.
Correction this seems to be fixed upstream with a slightly different patch. So 1.3.10 would be needed to address this. Since Danilo already synced the cl and comment #11 and comment #12 are private I think the 1.3.10 is in the maintenance process already.
GitHub comment https://github.com/openssl/openssl/issues/14595#issuecomment-802157299 also referencse this upstream JIRA bug: https://issues.apache.org/jira/browse/SERF-198 Which suggests that serf-1.3.10 includes kTLS fix (not yet tested by me).
(In reply to Andreas Stieger from comment #10) > Using the Tumbleweed package and dependencies in not recommended. > Use the one built for Leap 15.6 specifically: > > devel:tools:scm:svn/libserf > devel:tools:scm:svn/subversion I'm sorry for novice question, but I'm unable to find 1st mentioned repo "devel:tools:scm:svn/libserf". I found and did this (on LEAP 15.6): zypper ar http://download.opensuse.org/repositories/devel:/tools:/scm:/svn/15.6/ devel_tools_scm_svn zypper pa devel_tools_scm_sv But later "zypper pa..." command shows no libserf packages Looking into parent directory http://download.opensuse.org/repositories/devel:/tools:/scm:/ I'm unable to find svn/libserf there.
SUSE-RU-2024:2155-1: An update that has three fixes can now be installed. Category: recommended (moderate) Bug References: 1221211, 1222854, 1224089 Maintenance Incident: [SUSE:Maintenance:34282](https://smelt.suse.de/incident/34282/) Sources used: openSUSE Leap 15.6 (src): libserf-1.3.10-150600.18.8.2 Basesystem Module 15-SP6 (src): libserf-1.3.10-150600.18.8.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
I received libsert 1.3.10 with today's update of Leap 15.6 and the issue is gone. The issue can be closed IMHO. Thanks everyone.
Thanks everyone for the help! Closing as fixed.