SSL bad decompression
Joe Orton
joe at manyfish.co.uk
Thu Aug 14 04:02:53 EDT 2008
Hi Matthew,
On Wed, Aug 13, 2008 at 05:31:10PM -0400, Matthew L. Creech wrote:
> Please see:
>
> http://groups.google.com/group/linux.debian.bugs.dist/browse_thread/thread/162efded1f6706c7/a63ac5eeaa5ebc4d?fwc=1
>
> I'm having the same problem now after upgrading Subversion (which
> triggers an upgrade of neon to 0.28.2):
>
> Transmitting file data
> ................................................svn: Commit failed
> (details follow):
> svn: At least one property change failed; repository is unchanged
> svn: PROPPATCH of
> '/svn/!svn/wrk/8043ac45-fa17-4599-9f4f-91d087d14888/proj/skeleton/etc/init.d/snmpd':
> SSL negotiation failed: SSL error: bad decompression
> (https://svn.blah.com)
> svn: Your commit message was left in a temporary file:
> svn: '/home/mlcreech/svn/PCM-tk/trunk/svn-commit.tmp'
>
> This probably doesn't tell you much about the NEON internals, but this
> happens consistently so I can help to debug if needed. Any ideas?
> Thanks!
There is a bug in the Debian BTS for this, though I can't find it
currently. This is the comment I sent:
--
This is reproducible with a neon/GnuTLS build and a neon/OpenSSL build,
so it doesn't seem to be a toolkit-specific bug.
The only difference between 0.27 and 0.28 is that TLS SNI is enabled by
default in 0.28.x; this shouldn't make a difference unless there is an
RFC compliance issue on the server. Given that it's mod_ssl the other
end, I'm not sure what problem might be, I don't think I've seen this
before.
--
I've seen a couple of reports of this bug for the svn.gforge.org SVN
server, and never AFAIR for any other SVN server, which I think is
slightly curious. My best guess would be that this is some bug specific
to the version of OpenSSL running on that server. I'm not aware of any
specific OpenSSL bug which causes this type of failure though I've not
researched that.
So, disabling TLS/SNI in neon (or in SVN) would work around it. It's
possible to forcibly disable TLS compression in the SSL_CTX so it would
be interesting to try that too.
Regards, Joe
More information about the neon
mailing list