Bug 194241 - [PATCH] net/svnup can not connect to freebsd svn repos "SSL_connect error:1"
Summary: [PATCH] net/svnup can not connect to freebsd svn repos "SSL_connect error:1"
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Bryan Drewery
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-08 13:13 UTC by Bernard Spil
Modified: 2015-03-06 09:37 UTC (History)
2 users (show)

See Also:
brnrd: maintainer-feedback? (jcm)


Attachments
Patch to enable TLSv1 (544 bytes, patch)
2014-10-08 13:13 UTC, Bernard Spil
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Bernard Spil freebsd_committer 2014-10-08 13:13:29 UTC
Created attachment 148094 [details]
Patch to enable TLSv1

When I run svnup it returns a large amount of 
SSL_connect error:1
lines.

There seems to have been a change in the svnup servers that no longer allow it to negotiate SSLv3 connections.
$ openssl s_client -connect svn0.eu.freebsd.org:443 -ssl3
CONNECTED(00000003)
34379134632:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:1260:SSL alert number 40
34379134632:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_pkt.c:596:

Negotiating a TLSv1(.1/.2) connection is fine.

The SSL connection is established with 
   connection->ctx = SSL_CTX_new(SSLv23_client_method()); 
which will be broken for people using security/libressl
then the code disables TLSv1 breaking the ssl session setup.
   SSL_CTX_set_options(connection->ctx, SSL_OP_ALL | SSL_OP_NO_TICKET | SSL_OP_NO_TLSv1);

When I remove "| SSL_OP_NO_TLSv1" it compiles and runs fine.
Comment 1 Bugzilla Automation freebsd_committer 2014-10-08 13:13:29 UTC
Maintainer CC'd
Comment 2 jcm 2014-10-12 23:36:03 UTC
Hello,

The patch has been merged (Thanks!)  I still have some work to do for bug #193837 and I'm hoping to have 1.07 pushed out later this week.
Comment 3 Bernard Spil freebsd_committer 2014-10-13 07:00:25 UTC
You may wish to expedite this patch with the oncoming release of FreeBSD 10.1 as I expect many people will wish to update their source tree at that time!

Thanks,

Bernard.
Comment 4 Bryan Drewery freebsd_committer 2014-10-15 15:37:07 UTC
I will test/commit this as it is hurting users currently.
Comment 5 Bryan Drewery freebsd_committer 2014-10-15 15:45:18 UTC
Fix committed
Comment 6 commit-hook freebsd_committer 2014-10-15 15:45:34 UTC
A commit references this bug:

Author: bdrewery
Date: Wed Oct 15 15:44:42 UTC 2014
New revision: 370930
URL: https://svnweb.freebsd.org/changeset/ports/370930

Log:
  - Allow svnup to work with TLS; SSLv3 is being disabled due to POODLE.

  PR:		194241
  Submitted by:	spil.oss@gmail.com
  Obtained from:	Merged in upstream
  MFH:		2014Q4

Changes:
  head/net/svnup/Makefile
  head/net/svnup/files/
  head/net/svnup/files/patch-svnup.c
Comment 7 commit-hook freebsd_committer 2014-10-15 15:45:36 UTC
A commit references this bug:

Author: bdrewery
Date: Wed Oct 15 15:45:07 UTC 2014
New revision: 370931
URL: https://svnweb.freebsd.org/changeset/ports/370931

Log:
  MFH: r370930

  - Allow svnup to work with TLS; SSLv3 is being disabled due to POODLE.

  PR:		194241
  Submitted by:	spil.oss@gmail.com
  Obtained from:	Merged in upstream

Changes:
_U  branches/2014Q4/
  branches/2014Q4/net/svnup/Makefile
  branches/2014Q4/net/svnup/files/