1226399 – Fix: svn client broken in LEAP 15.6 due kTLS and libserf interaction

Bug 1226399 - Fix: svn client broken in LEAP 15.6 due kTLS and libserf interaction

Summary: Fix: svn client broken in LEAP 15.6 due kTLS and libserf interaction

Status:	RESOLVED DUPLICATE of bug 1222854

Alias:	None

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Development (show other bugs)
Version:	Leap 15.6
Hardware:	x86-64 Other

Priority:	P5 - None Severity: Critical (vote)
Target Milestone:	---
Assignee:	E-mail List
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-06-16 06:52 UTC by Henryk Paluch
Modified:	2024-06-16 07:10 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Disable kTLS in BIO_ctrl (517 bytes, patch) 2024-06-16 06:52 UTC, Henryk Paluch	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Henryk Paluch 2024-06-16 06:52:20 UTC

Created attachment 875504 [details]
Disable kTLS in BIO_ctrl

Svn in LEAP 15.6 is unable to access any https SVN server (it loops forever) while same SVN client works without issues in LEAP 15.5

How to reproduce:

1. Bug occurs only in LEAP 15.6 (works properly in LEAP 15.5)
2. install SVN:

zypper in subversion
rpm -q subversion libserf-1-1

  subversion-1.14.1-150400.3.8.x86_64
  libserf-1-1-1.3.9-150600.18.3.2.x86_64


3. Try to connect to any https server:

svn info https://svn.apache.org/repos/asf/serf/trunk

4. It will loop forever

The problem is caused by OpenSSL's Kernel TLS (kTLS) interaction with libserf (libserf is used as layer between svn and OpenSSL)

There is terse description of this problem (even mentioning libserf) here:
https://github.com/openssl/openssl/issues/14595#issuecomment-801969560

> The only buggy BIO types I know about are in Apache serf
> and Apache ssl_engine_io.c, but I also haven't been on
> the front lines for this. T

Tracing shows that unpatched libserf sends invalid TLS data (missing initial 5 byte record when compared to working version) - because OpenSSL expects that data will be generated by kernel kTLS. So TLS server immediately closes connection as invalid TLS communication.

How to fix:

1. You will need provided patch serf-disable-ktls.patch
2. install and unpack libserf source:

zypper si libserf
rpmbuild -bp rpmbuild -bp /usr/src/packages/SPECS/libserf.spec

3. Now apply provided patch:

cd /usr/src/packages/BUILD
patch -p0 < ../SOURCES/serf-disable-ktls.patch

4. Do short-circuit build (to avoid overwrite of fixed sources)

rpmbuild -bc --short-circuit /usr/src/packages/SPECS/libserf.spec

5. Test svn with patched libsef, now shoud work properly

LD_LIBRARY_PATH=/usr/src/packages/BUILD/serf-1.3.9 svn info https://svn.apache.org/repos/asf/serf/trunk
Path: trunk
URL: https://svn.apache.org/repos/asf/serf/trunk
Relative URL: ^/serf/trunk
Repository Root: https://svn.apache.org/repos/asf
Repository UUID: 13f79535-47bb-0310-9956-ffa450edef68
Revision: 1918360
Node Kind: directory
Last Changed Author: kotkov
Last Changed Rev: 1910150
Last Changed Date: 2023-05-31 20:36:21 +0200 (Wed, 31 May 2023)

Comment 1 Andreas Stieger 2024-06-16 07:10:40 UTC

Thanks, let's move this to bug 1222854

*** This bug has been marked as a duplicate of bug 1222854 ***