SSL bad decompression

Matthew L. Creech mlcreech at gmail.com
Thu Aug 14 10:58:30 EDT 2008 

Thanks for the response!

On Thu, Aug 14, 2008 at 4:02 AM, Joe Orton <joe at manyfish.co.uk> wrote:
>
> I've seen a couple of reports of this bug for the svn.gforge.org SVN
> server, and never AFAIR for any other SVN server, which I think is
> slightly curious.  My best guess would be that this is some bug specific
> to the version of OpenSSL running on that server.  I'm not aware of any
> specific OpenSSL bug which causes this type of failure though I've not
> researched that.
>

I'm seeing it on our company Subversion server, and I've got multiple
machines doing the same thing.  It started happening when the clients
began upgrading to Subversion 1.5 (which pulled in neon 0.28).  I
upgraded the server in an attempt to fix it, but it didn't help.  So
if it's something wrong on the server end, it's been that way for
quite a while, because the packages on the server hadn't been touched
in over a year.  If you've got any suggestions on what to try on the
server side, let me know.

> So, disabling TLS/SNI in neon (or in SVN) would work around it.  It's
> possible to forcibly disable TLS compression in the SSL_CTX so it would
> be interesting to try that too.
>

I tried the first suggestion on one of the clients:

diff -purN orig/src/ne_session.c neon-0.28.2/src/ne_session.c
--- orig/src/ne_session.c       2008-08-14 10:23:51.000000000 -0400
+++ neon-0.28.2/src/ne_session.c        2008-08-14 10:24:07.000000000 -0400
@@ -148,7 +148,7 @@ ne_session *ne_session_create(const char
     if (sess->use_ssl) {
         sess->ssl_context = ne_ssl_context_create(0);
         sess->flags[NE_SESSFLAG_SSLv2] = 1;
-        sess->flags[NE_SESSFLAG_TLS_SNI] = 1;
+        sess->flags[NE_SESSFLAG_TLS_SNI] = 0;
     }
 #endif


and sure enough it fixed the problem.  It's not the best solution,
since we've got people outside of the company using this server, and
getting them all to hack up their clients would be impossible.  But at
least I'm on the right track now.

It's odd that this wouldn't be a widely-reported problem.  I'm going
to keep playing with the server's configuration (maybe the SNI-related
stuff?) and see if I can fix things that way.  Thanks for the help!

-- 
Matthew L. Creech

More information about the neon mailing list