subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Johan Corveleyn <>
Subject Re: Proxy settings in SVN
Date Mon, 15 Sep 2014 07:49:54 GMT
[ This list prefers bottom- or inline-posting, so please put your
reply inline or at the bottom, thanks. More below ...]

> -----Original Message-----
> From: Johan Corveleyn []
> Sent: Friday, September 12, 2014 2:10 AM
> To: Vaux, John
> Cc:
> Subject: Re: Proxy settings in SVN
> On Thu, Sep 11, 2014 at 11:03 PM, Vaux, John <> wrote:
>> Hello all,
>>                 It’s my first time posting to this list and I am not
>> subscribed so please CC me on any replies.
>>                 I’m having difficulty with the proxy settings in
>> Windows version of svn (I’m using the WANdisco compiled version).  It
>> seems as though no matter what I put in the
>> appdata\roaming\subversion\servers file the settings are ignored and
>> the svn is defaulting to the windows control panel settings.  This
>> would be fine but we utilize a proxy.pac autoconfigure and require
>> proxy authentication.  Between those two settings for whatever reason
>> svn seems to be unable to deal with the proxy’s request for
>> authentication.  I’ve tcpdumped the connection information from the proxy itself
and it looks like svn just isn’t answering.
>> The basic gist of the stream goes like this:
>> Source                  Dest                       Protocol
>> Length                  Message
>> clientIP                 proxyIP                HTTP
>> 121                         CONNECT www.svnrepository.tld:443 HTTP/1.1
>> proxyIP                clientIP                 HTTP
>> 236                         HTTP/1.1 407 authenticationrequired  (text/html)
>> clientIP                 proxyIP                HTTP
>> 217                         CONNECT www.svnrepository.tld:443 HTTP/1.1 ,
>> proxyIP                clientIP                 HTTP
>> 252                         HTTP/1.1 407 authenticationrequired ,
>> NTLMSSP_CHALLENGE (text/html)
>> And then silence.  The app correctly interprets the first 407 and
>> tries connecting again but this time with an NTLMSSP_NEGOTIATE but
>> when the proxy comes back with a CHALLENGE svn never responds with
>> credentials.  I worked with my proxy vendor and we tried to find ways
>> around it but short of turning off authentication they are chalking it
>> up to a bug in the HTTP client implementation.  Any help would be much appreciated.
> Hello John,
> It's indeed possible that this is related to a problem in de http client implementation
inside svn (i.e. the serf library which takes care of the http communication). Can you show
us the output of 'svn --version', so we know the exact version of svn (and version of serf
that is included)?
> If it's not the latest version (1.8.10 if I'm not mistaken), you might want to try upgrading
your client and see if that helps already. There were some subtle http communication bugs
fixed in recent 1.8.x releases.
> Cheers,
> --
> Johan

On Fri, Sep 12, 2014 at 4:51 PM, Vaux, John <> wrote:
> Johan,
>         Absolutely, I should have included that in my original email.  I've downloaded
the latest available specifically for my testing environment so svn --version does indeed
come back with 1.8.10.

Mmm, that's the most recent release ...

For completeness, can you copy-paste the full output of "svn
--version"? That includes the version number of the serf library
that's included.

I'm not an expert on serf's internals myself, but I've done a quick
search in the mailinglist archives on "negotiate", and a couple of
threads have come up:

There is also this recent commit, related to the http-pipelining that
was discussed in that latest thread (reverting the option, because
that particular issue was fixed in serf 1.4):

I'm not sure if any of this is related to the issue you are seeing,
but perhaps you can already read throught those threads to see if it
matches your problem. It's also perfectly possible that you're seeing
a new issue.

If you need a workaround, a product like cntlm [1] might be of some help.



View raw message