The current devel/subversion port fails to correctly load a valid "servers" Subversion configuration (~/.subversion/servers, or /usr/local/etc/subversion/servers) that contains a ssl-authority-files directive. I have tested the current (1.8.14) SVN port which fails under the conditions described below, while using a stock copy of Subversion-1.8.14 directly from the upstream tarballs and built using the same options as Poudriere reports in its build logs works fine. Here's the contents of /usr/local/etc/subversion/servers for reference: <BEGIN servers CONTENTS> [groups] fbsd_svn = svn.freebsd.org [fbsd_svn] ssl-authority-files = /usr/local/etc/svn.freebsd.org-ca.crt <END servers CONTENTS> I've included the contents of this certificate below, to allow for a complete reproduction test-case. Note that this certificate can be read and works as expected when I call the svn binary built by hand, but fails when calling the svn binary that ports installs. The failure can be seen by doing the following command: /usr/local/bin/svn ls https://svn.freebsd.org/ports/head svn: E125009: Unable to connect to a repository at URL 'https://svn.freebsd.org/ports/head' svn: E125009: Invalid config: unable to load certificate file '/usr/local/etc/svn.freebsd.org-ca.crt' openssl x509 -noout -fingerprint -in /usr/local/etc/svn.freebsd.org-ca.crt SHA1 Fingerprint=2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:51:F7:0E:E9:0D:DA:B9:AD:8E As you can see, the certificate can most certainly be read, so it looks like a failure in the port to correctly process it. truss output shows this file is in fact being read successfully by the OS (I can attach full truss output of both the ports-binary and my own compiled version if it would help.) The contents of the root-CA used by FreeBSD's SVN is shown below, to allow complete reproduction of this issue: <BEGIN svn.freebsd.org-ca.crt CONTENTS> -----BEGIN CERTIFICATE----- MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B 3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/ Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2 VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT 79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6 c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3 ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs 8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/ qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG jjxDah2nGN59PRbxYvnKkKj9 -----END CERTIFICATE----- <END svn.freebsd.org-ca.crt CONTENTS>
Do you have www/neon built with OPENSSL?
Oh, sorry, it is not neon, but sef now. This error message could be issued only due to serf (www/serf) failure… Interesting.
Right, and www/serf has no OPENSSL option. For reference, my serf was built like so: # pkg query '%Ok = %Ov' serf DOCS = on GSSAPI = off But I don't see how this could be related to any ports compile-time options since the subversion tarball downloaded from the Apache project page correctly functions with the 'servers' file I listed in the initial bug report. Additionally, the libraries linked (as shown by ldd) are the same between the ports-built copy and the one I built directly from Apache's sources.
Yep, SERF has OpenSSL support unconditionally. But this error message (E125009) is used only if one of two SERF calls: serf_ssl_load_cert_file() serf_ssl_trust_cert() return error. I'm investigating what is wrong with svn from ports right now…
(for the record) serf_ssl_trust_cert() fails (subversion/libsvn_ra_serf/util.c:523). I can not understand — why?!
Could you please provide full "configure" and "gmake" command lines which you use to build working subversion "by hands"?
I pulled my manual configure options from the Poudriere output for the port, resulting in the following build sequence (and obviously my own prefix to avoid conflicting with ports.) My build: ./configure --without-swig --with-sqlite=/usr/local --with-expat=/usr/local/include:/usr/local/lib:expat --without-berkeley-db --disable-nls --without-sasl --with-serf=/usr/local --with-apr=/usr/local/bin/apr-1-config --with-apr-util=/usr/local/bin/apu-1-config --without-gnome-keyring --without-kwallet --with-apxs=no --without-berkeley-db --prefix=/home/josh/apps/subversion-1.8.14 make -j2 make install Here's what Poudriere had to say about the 1.8.14 build: ---Begin OPTIONS List--- ===> The following configuration options are available for subversion-1.8.14_1: BDB=off: Berkeley DB support DOCS=on: Build and/or install documentation FREEBSD_TEMPLATE=on: FreeBSD Project log template MAINTAINER_DEBUG=off: Build debug version NLS=off: Native Language Support P4_STYLE_MARKERS=on: Perforce-style conflict markers SASL=off: SASL authentication support SERF=on: WebDAV/Delta-V (HTTP/HTTPS) repo access module STATIC=off: Build static version (no shared libs) SVNSERVE_WRAPPER=off: Enable svnserve wrapper (umask setter) TEST=off: Run subversion test suite TOOLS=on: Install several tools ===> Use 'make config' to modify these settings ---End OPTIONS List--- --CONFIGURE_ARGS-- --without-swig --with-sqlite=/usr/local --with-expat=/usr/local/include:/usr/local/lib:expat --without-berkeley-db --disable-nls --without-sasl --with-serf --with-apr=/usr/local/bin/apr-1-config --with-apr-util=/usr/local/bin/apu-1-config --without-gnome-keyring --without-kwallet --with-apxs=no --without-berkeley-db --prefix=/usr/local ${_LATE_CONFIGURE_ARGS} --End CONFIGURE_ARGS--
It is mysterious! Looks like I need OpenSSL guru…
BTW, svn *without* port patches works, am I right?
Apologies for the delay in following-up, but I had limited luck trying to remove all the port-specific modifications to the upstream code as they seem to be scattered in a few places in the Makefile. I tried removing all the files in the port dir matching a name of ./files/patch-*, and the port failed to built as the plist file is expecting the programs like 'diff' to be renamed 'svndiff' per the build-outputs.mk patch. I did have build-success when I left in the two files: patch-Makefile.in & patch-build-outputs.mk. HOWEVER, the resulting port was still broken in the same way the standard port was in that it failed to parse the X.509 CA cert from the global SVN configuration, as in the original bug report. I notice there are a half-dozen "extra" patch files that appear to get conditionally applied due to various tunable options. Is one of these perhaps responsible? Is there a patch or modification I can try to see if further removing port-tweaks to the upstream sources is ultimately the cause of this issue? There are also some inline replacements made (via REINPLACE_CMD), although these appear limited to path/shebang corrections and presumably unrelated to the certificate parsing problem.
I've tracked down the cause of this bug to the change in ca_root_nss package which now provides the /etc/ssl/cert.pem symlink to the Mozilla CA root-cert X.509 bundle. The issue here is that Subversion (or the OpenSSL calls it relies on) chokes when a duplicate CA is added to the list of trusted roots. When this happens, the high-level action of "loading" the file specified by ssl-authority-files in the system or user-specific 'servers' file will fail. The failure mode is identical to the case where the file doesn't actually exist, leaving the user with little clue about the root cause. At this point it's a Subversion/OpenSSL issue, not specific to FreeBSD. If any other users run into this bug, the solution is to verify the root-CA for the server in question really is in the bundle referenced by cert.pem, then remove the configuration directive pointing to the same cert. Optionally removing the cert.pem symlink (or the port option creating it) restores the old behavior of the ca_root_nss port and the packages that will use this file by default. Unless there was more to do, I think this bug can be closed out.
If it is a bug, it is a bug in OpenSSL, not in apr/subversion.