Recently the following problem has come up: When trying to commit with subversion a large set of files from a Gentoo client to a Gentoo server, this consistently fails with an error like svn: PROPPATCH von »/svn/huettel/!svn/wrk/a44.....«: SSL handshake failed: SSL error: parse tlsext (https://data.xxxx.de) The client is dev-util/subversion-1.6.6, dev-libs/openssl-0.9.8l-r2 on Gentoo/amd64 (amd64, mostly stable) The server is www-servers/apache-2.2.14-r1, dev-libs/openssl-0.9.8l-r2, dev-util/subversion-1.6.6-r10 (amd64, mostly stable) Please have a look at the mailing list thread given in URL. I suspect we are hitting this interoperability issue, which may be fixed in newer openssl.
Created attachment 218881 [details] emerge --info output of the client
Created attachment 218883 [details] emerge --info output of the server
Maybe I should mention that the repository uses a https:// url. Client: huettel@pinacolada ~ $ equery uses subversion [ Searching for packages matching subversion... ] [ Colour Code : set unset ] [ Legend : Left column (U) - USE flags from make.conf ] [ : Right column (I) - USE flags packages was installed with ] [ Found these USE variables for dev-util/subversion-1.6.6 ] U I - - apache2 : Add Apache2 support + + bash-completion : Enable bash-completion support + + berkdb : Adds support for sys-libs/db (Berkeley DB for MySQL) - - ctypes-python : Build and install ctypes python bindings - - debug : Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see http://www.gentoo.org/proj/en/qa/backtraces.xml - - doc : Adds extra documentation (API, Javadoc, etc) - - dso : Enable runtime module search - - elibc_FreeBSD : ELIBC setting for systems that use the FreeBSD C library - - emacs : Adds support for GNU Emacs - - extras : Install extras scripts (examples, tools, hooks) - - gnome-keyring : Enable support for storing passwords via gnome-keyring + + java : Adds support for Java + + nls : Adds Native Language Support (using gettext - GNU locale utilities) + + perl : Adds support/bindings for the Perl language + + python : Adds support/bindings for the Python language - - ruby : Adds support/bindings for the Ruby language + + sasl : Adds support for the Simple Authentication and Security Layer - - test : Workaround to pull in packages needed to run with FEATURES=test. Portage-2.1.2 handles this internally, so don't set it in make.conf/package.use anymore - - vim-syntax : Pulls in related vim syntax scripts + + webdav-neon : Enable WebDAV support using net-misc/neon - - webdav-serf : Enable WebDAV support using net-libs/serf huettel@pinacolada ~ $ Server: huettel@grenadine ~ $ equery uses subversion [ Searching for packages matching subversion... ] [ Colour Code : set unset ] [ Legend : Left column (U) - USE flags from make.conf ] [ : Right column (I) - USE flags packages was installed with ] [ Found these USE variables for dev-util/subversion-1.6.6-r10 ] U I + + apache2 : Add Apache2 support + + bash-completion : Enable bash-completion support + + berkdb : Adds support for sys-libs/db (Berkeley DB for MySQL) - - ctypes-python : Build and install ctypes python bindings - - debug : Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see http://www.gentoo.org/proj/en/qa/backtraces.xml - - doc : Adds extra documentation (API, Javadoc, etc) - - dso : Enable runtime module search - - elibc_FreeBSD : ELIBC setting for systems that use the FreeBSD C library - - emacs : Adds support for GNU Emacs - - extras : Install extras scripts (examples, tools, hooks) - - gnome-keyring : Enable support for storing passwords via gnome-keyring + + java : Adds support for Java + + kde : Adds support for kde-base/kde (K Desktop Enviroment) + + nls : Adds Native Language Support (using gettext - GNU locale utilities) + + perl : Adds support/bindings for the Perl language + + python : Adds support/bindings for the Python language + + ruby : Adds support/bindings for the Ruby language + + sasl : Adds support for the Simple Authentication and Security Layer - - test : Workaround to pull in packages needed to run with FEATURES=test. Portage-2.1.2 handles this internally, so don't set it in make.conf/package.use anymore - - vim-syntax : Pulls in related vim syntax scripts + + webdav-neon : Enable WebDAV support using net-misc/neon - - webdav-serf : Enable WebDAV support using net-libs/serf huettel@grenadine ~ $
Some people suggest to add SSLProtocol -ALL +SSLv2 +SSLv3 to workaround this issue. It will be great if somebody digged a bit deeper to find out what needs to be fixed on Gentoo side.
Could this and bug 304163 have a similar cause ?
We have the same issue. dev-libs/openssl-0.9.8l-r2 www-servers/apache-2.2.14-r1 emerge --info Portage 2.1.6.13 (hardened/linux/amd64, gcc-3.4.6, glibc-2.6.1-r0, 2.6.18-028stab056 x86_64) ================================================================= System uname: Linux-2.6.18-028stab056-x86_64-Dual-Core_AMD_Opteron-tm-_Processor_1212-with-glibc2.3.2 Timestamp of tree: Tue, 26 Jan 2010 07:15:01 +0000 distcc 3.0 x86_64-pc-linux-gnu [disabled] ccache version 2.4 [enabled] app-shells/bash: 3.2_p39 dev-lang/python: 2.5.4-r3 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63 sys-devel/automake: 1.5, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=opteron -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=opteron -O2 -pipe" DISTDIR="/_gentoo_portage/distfiles" FEATURES="ccache distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://de-mirror.org/distro/gentoo http://gentoo.inode.at http://gentoo.inf.elte.hu" LANG="hu_HU.UTF-8" LC_ALL="hu_HU.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="hu" MAKEOPTS="-j4" PKGDIR="/_gentoo_portage/packages/opteron64" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/_gentoo_portage/tmp" PORTDIR="/_gentoo_portage/portage" PORTDIR_OVERLAY="/_gentoo_portage/overlay" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="3dnow 3dnowext acpi amd64 berkdb bzip2 caps cli cracklib crypt cxx dri hardened iconv justify mmx modules mudflap multilib ncurses nls nptl nptlonly openmp pam pcre perl pic pppd python readline reflection session slang spl sse sse2 sse3 ssl sysfs tcpd unicode urandom xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_dbd authn_default authn_file authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir env expires ext_filter filter headers ident imagemap include info log_config mem_cache mime mime_magic negotiation rewrite setenvif so speling status userdir usertrack unique_id vhost_alias suexec proxy proxy_balancer proxy_connect proxy_ftp proxy_http" APACHE2_MPMS="worker" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="hu" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="vesa" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
It seems like updating to 0.9.8m solved the problem for me. And I'm not expiring any regressions on my servers. But be aware of other conflicts see: http://bugs.gentoo.org/show_bug.cgi?id=308123