subversion-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From julianf...@apache.org
Subject svn commit: r1837321 - in /subversion/site/publish: docs/release-notes/1.10.html faq.html
Date Thu, 02 Aug 2018 14:44:02 GMT
Author: julianfoad
Date: Thu Aug  2 14:44:02 2018
New Revision: 1837321

URL: http://svn.apache.org/viewvc?rev=1837321&view=rev
Log:
Add SSL communication error FAQ; link to it from 1.10 release notes.

Patch by: Folker Schamel <schamel23{_AT_}spinor.com>

* site/staging/faq.html:
  (ssl-communication-error): Add entry for "An error occurred during SSL
    communication" error.

* site/staging/docs/release-notes/1.10.html:
  (new-ca-keys): Add entry for an OpenSSL upgrade causing "An error occurred
    during SSL communication" error.

Modified:
    subversion/site/publish/docs/release-notes/1.10.html
    subversion/site/publish/faq.html

Modified: subversion/site/publish/docs/release-notes/1.10.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/docs/release-notes/1.10.html?rev=1837321&r1=1837320&r2=1837321&view=diff
==============================================================================
--- subversion/site/publish/docs/release-notes/1.10.html (original)
+++ subversion/site/publish/docs/release-notes/1.10.html Thu Aug  2 14:44:02 2018
@@ -353,6 +353,43 @@ In particular, the behaviour of builds <
 
 </div>  <!-- svnserve-use-sasl -->
 
+<div class="h4" id="new-ca-keys">
+<h4>New CA keys may be required
+  <a class="sectionlink" href="#new-ca-keys"
+    title="Link to this section">&para;</a>
+</h4>
+
+<p>
+Some binary distributions of this new Subversion version
+may link to a newer OpenSSL version than previous distributions.
+This may lead to different behavior.
+</p>
+
+<p>
+Especially, some distributions may link this Subversion release to OpenSSL 1.1 instead of
OpenSSL 1.0.
+OpenSSL 1.1 does not allow md5 hashes for CA keys anymore.
+When using client certificates signed by such a CA,
+the new Subversion client may fail with <tt>An error occurred during SSL communication</tt>.
+You can analyze the underlying cause by first converting the client certificate from p12
to pem by
+<pre>
+openssl pkcs12 -in path/to/svn/cert.p12 -out cert.pem
+</pre>
+and then testing the SSL connection by
+<pre>
+openssl s_client -connect example.com:443 -servername example.com -cert cert.pem
+</pre>
+If this test connection fails with <tt>ca md too weak</tt>
+then creating new CA keys using sha256 instead of md5
+and corresponding new client certificates should solve the problem.
+</p>
+
+<p>
+See also <a href="/faq.html#ssl-communication-error">When performing Subversion operations
+over SSL, I get the error <tt>An error occurred during SSL communication</tt></a>
+</p>
+
+</div>  <!-- new-ca-keys -->
+
 </div>  <!-- compat-misc -->
 
 </div>  <!-- compatibility -->

Modified: subversion/site/publish/faq.html
URL: http://svn.apache.org/viewvc/subversion/site/publish/faq.html?rev=1837321&r1=1837320&r2=1837321&view=diff
==============================================================================
--- subversion/site/publish/faq.html (original)
+++ subversion/site/publish/faq.html Thu Aug  2 14:44:02 2018
@@ -256,6 +256,8 @@ validating server certificate</tt> error
     characters do not seem to be working?</a></li>
 <li><a href="#dav-slow-copy">Why does an HTTP(S) URL-to-URL copy or
     branch/tag operation take a long time?</a></li>
+<li><a href="#ssl-communication-error">When performing Subversion operations
+    over SSL, I get the error <tt>An error occurred during SSL communication</tt></a></li>
 </ul>
 
 <h4>Developer questions:</h4>
@@ -4158,6 +4160,48 @@ Subversion perform a normal recursive co
 
 </div>
 
+<div class="h3" id="ssl-communication-error">
+
+<h3>When performing Subversion operations
+    over SSL, I get the error <tt>An error occurred during SSL communication</tt>
+  <a class="sectionlink" href="#ssl-communication-error"
+    title="Link to this section">&para;</a>
+</h3>
+<p>
+SSL communication errors can have various reasons.
+You can use the openssl binary to debug the ssl connection.
+<pre>
+openssl s_client -connect example.com:443 -servername example.com
+</pre>
+If you use a client certificate,
+then you need to convert Subversion's client certificate from pkcs12 to pem first:
+<pre>
+openssl pkcs12 -in path/to/svn/cert.p12 -out cert.pem
+</pre>
+Then you can use:
+<pre>
+openssl s_client -connect example.com:443 -servername example.com -cert cert.pem
+</pre>
+If you are using ssl-authority-files in <tt>.subversion/servers</tt> to verify
+the server cert you can get <tt>s_client</tt> to do the same with the additional
+parameter:
+<pre>
+openssl s_client ... -CAfile path/to/authority.pem
+</pre>
+The <tt>s_client</tt> output may indicate what problem is occurring.
+</p>
+
+<p>
+For example, if <tt>s_client</tt> reports
+<pre>
+error setting certificate
+140258270184704:error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak:../ssl/ssl_rsa.c:303:
+</pre>
+then creating new CA keys with sha256 instead of md5 should solve the problem.
+</p>
+
+</div>
+
 </div>
 
 <div class="h2" id="developer-questions">



Mime
View raw message