After upgrading to Apache 2.2.14-r1 from Apache 2.2.11, a subversion repository hosted by it began returning the following error mid-way through larger commits: '/!svn/wrk/48583f7d-0e01-410d-8941-33d2ba3574b4/WAP/.../htdocs/images/rt.gif': SSL negotiation failed: SSL error: parse tlsext (https://...) This seems to be commonly reported as an issue with Apache 2.2.12 - 2.2.14. Many people struggling with this have suggested removing TLSv1 from Apache's SSLProtocol. However, this results in the following different error: svn: PUT of '/!svn/wrk/0b9f5a96-15aa-11df-ad6a-0f71b873281b/project/trunk/path/btn_Cancel.gif': SSL handshake failed: SSL error: bad decompression (https://...) The recommend work-around to this error seems to be to add TLSv1 back to your SSLProtocol, which returns us back to the original error. Since this is likely an upstream issue, would it make sense to return 2.2.11 to the portage tree such that downgrading is possible? Reproducible: Always Steps to Reproduce: Make a large commit to a working copy whose repository is hosted on affected Apache version with SSL Actual Results: During larger commits (20+ files), error message with either: '/!svn/wrk/48583f7d-0e01-410d-8941-33d2ba3574b4/WAP/.../htdocs/images/rt.gif': SSL negotiation failed: SSL error: parse tlsext (https://...) svn: PUT of '/!svn/wrk/0b9f5a96-15aa-11df-ad6a-0f71b873281b/project/trunk/path/btn_Cancel.gif': SSL handshake failed: SSL error: bad decompression (https://svn.example.com) Versions and USE flags involved (from emerge -pv): [ebuild R ] dev-libs/openssl-0.9.8l-r2 USE="zlib -bindist -gmp -kerberos -sse2 -test" 4,082 kB [ebuild R ] www-servers/apache-2.2.14-r1 USE="ssl -debug -doc -ldap (-selinux) -static -suexec -threads" APACHE2_MODULES="actions alias auth_basic auth_digest authn_dbd authn_default authn_file authz_default authz_groupfile authz_host authz_user autoindex dav dav_fs dav_lock dbd deflate dir env expires headers include info log_config logio mime mime_magic negotiation proxy proxy_balancer proxy_connect proxy_http rewrite setenvif status unique_id userdir -asis -authn_alias -authn_anon -authn_dbm -authz_dbm -authz_owner -cache -cern_meta -charset_lite -disk_cache -dumpio -ext_filter -file_cache -filter* -ident -imagemap -log_forensic -mem_cache -proxy_ajp -proxy_ftp -speling -substitute -usertrack* -version -vhost_alias" APACHE2_MPMS="prefork -event -itk -peruser -worker" 5,088 kB [ebuild R ] net-misc/neon-0.29.0 USE="expat nls ssl zlib -doc -gnutls -kerberos -libproxy -pkcs11" LINGUAS="-cs -de -fr -ja -nn -pl -ru -tr -zh_CN" 859 kB [ebuild R ] dev-util/subversion-1.6.6 USE="apache2 bash-completion dso nls perl python ruby webdav-neon -berkdb -ctypes-python -debug -doc -emacs -extras -gnome-keyring -java -sasl -test -vim-syntax -webdav-serf" 5,384 kB Portage 2.1.7.16 (hardened/linux/x86/10.0, gcc-4.3.4, glibc-2.10.1-r1, 2.6.22-hardened-r8 i686) ================================================================= System uname: Linux-2.6.22-hardened-r8-i686-Intel-R-_Xeon-TM-_CPU_3.00GHz-with-gentoo-1.12.13 Timestamp of tree: Tue, 09 Feb 2010 05:45:01 +0000 app-shells/bash: 4.0_p35 dev-lang/python: 2.4.6, 2.5.4-r3, 2.6.4 dev-python/pycrypto: 2.0.1-r8 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc: 3.3.6-r1, 3.4.6-r2, 4.3.4 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium4 -pipe -O2" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php4/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php4/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php4/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=pentium4 -pipe -O2" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://gentoo.osuosl.org/ http://distro.ibiblio.org/pub/linux/distributions/gentoo/ http://ftp.ucsb.edu/pub/mirrors/linux/gentoo/ http://gentoo.chem.wisc.edu/gentoo/" LDFLAGS="-Wl,-O1" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.us.gentoo.org/gentoo-portage" USE="acl apache2 bash-completion bzip2 chroot cli cracklib crypt ctype curl cxx dri examples expat gd gpm hardened hpn iconv jpeg json modules mssql mudflap multiuser munin-apache mysql mysqli ncurses nls nptl nptlonly openmp pam pcre perl pic png posix pppd python readline reflection ruby sendfile session sftplogging simplexml soap spl ssh ssl subversion symlink sysfs tcpd threads tokenizer truetype unicode urandom utf8 vchroot vhosts x86 xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_dbd authn_default authn_file authz_default authz_groupfile authz_host authz_user autoindex cgi cgid dav dav_fs dav_lock dbd deflate dir env expires filter headers include info log_config logio mime mime_magic negotiation proxy proxy_balancer proxy_connect proxy_http rewrite setenvif so status unique_id userdir" APACHE2_MPMS="prefork" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 intel mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
I've also filed this upstream at https://issues.apache.org/bugzilla/show_bug.cgi?id=48713
After reading the http-dev thread about this issue, archived at http://www.gossamer-threads.com/lists/apache/dev/375633 , it seems this issue is caused by a bug in the client-side OpenSSL library in regards to how SSL Tickets / IDs are handled (probably in coordination with SNI first introduced in Apache 2.2.12), which explains why the error does not occur immediately, but takes a few seconds to minutes. This resolution was determined on Nov 2, three days before OpenSSL 0.9.8l came out. The thread does not explicitly state if/when the fix was applied to OpenSSL, but I think it's something we can anticipate being fixed in 0.9.8m, which I believe is covered by this entry in the m-beta changelog: > *) Fixes to stateless session > resumption handling. Use initial_ctx > when > issuing and attempting to decrypt tickets in case it has changed during > servername handling. Use a non-zero length session ID when > attempting > stateless session resumption: this makes it possible to determine if > a resumption has occurred immediately after receiving server > hello > (several places in OpenSSL subtly assume this) instead of later in > the handshake.
