connection failures to svn.cactuscode.org

Issue #2069 open
Roland Haas created an issue

I am getting connection failures to svn.cactuscode.org using svn 1.9.7 on Debian buster (which is starting to phase out tls 1.0 and 1.1 support https://lists.debian.org/debian-devel-announce/2017/08/msg00004.html). Namely I get:

ET_Hack$ svn checkout https://svn.cactuscode.org/projects/ExternalLibraries/zlib/
svn: E170013: Unable to connect to a repository at URL 'https://svn.cactuscode.org/projects/ExternalLibraries/zlib'
svn: E120171: Error running context: An error occurred during SSL communication

and openssl shows:

ET_Hack$ openssl s_client -connect svn.cactuscode.org:443
CONNECTED(00000003)
140481992824064:error:14171102:SSL routines:tls_process_server_hello:unsupported protocol:../ssl/statem/statem_clnt.c:917:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 86 bytes and written 183 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1503529726
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

systems which still allow tls1.0 (eg the QueenBee login nodes) return

$ openssl s_client -connect svn.cactuscode.org:443
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA
verify return:1
depth=0 C = US, postalCode = 70803, ST = Louisiana, L = Baton Rouge, street = 110 Thomas Boyd, O = Louisiana State University, OU = LSU A & M, CN = svn.cactuscode.org
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/postalCode=70803/ST=Louisiana/L=Baton Rouge/street=110 Thomas Boyd/O=Louisiana State University/OU=LSU A & M/CN=svn.cactuscode.org
   i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
 1 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGgDCCBWigAwIBAgIQHqWvzUQZraL+FC0Gui4TnTANBgkqhkiG9w0BAQsFADB2
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0xNTEyMDEwMDAwMDBaFw0xODExMzAy
MzU5NTlaMIG3MQswCQYDVQQGEwJVUzEOMAwGA1UEERMFNzA4MDMxEjAQBgNVBAgT
CUxvdWlzaWFuYTEUMBIGA1UEBxMLQmF0b24gUm91Z2UxGDAWBgNVBAkTDzExMCBU
aG9tYXMgQm95ZDEjMCEGA1UEChMaTG91aXNpYW5hIFN0YXRlIFVuaXZlcnNpdHkx
EjAQBgNVBAsMCUxTVSBBICYgTTEbMBkGA1UEAxMSc3ZuLmNhY3R1c2NvZGUub3Jn
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA40EHmQwApNBq6wt6VyZ0
hWbeCpkOkYENmksB9kPtxzVSz0gK26nnPl68wyb3gTLN3qhfkH9rxlPNuQoo9L3q
5WnIAUrPgzz+afP/kXMzeUtD4GdKx4NhSFnOaVE8rimz2EiOAx7BC8uxfT+EOJ3i
C07jwSKg8l+1M0SH1BQqjPK8HeVkfAP2jWQVBAThz/TMvs6P9w4yH8aKsUO2DpOw
ocRUvEEvYd6cc4ouuJkhCkosw4NUHC5gCuuoJcVo8wuqR1F+aE8qvtG1CKNTkU6M
5QZgPcqQ4ENwM3SJTlSrWIsqebu24NDacmxc32K2CwLeBEQHM5YCKj1UAODAmtZB
aBD3w7lVO0odunOWI+E/R9NARSpwyCBBCv43TDPDKp48Nmffaj7nhSRIl4hFxtTW
FTC3rkoHL5fuSFWZBNVJDD7iYFsSovDUep9gAAd8szjQQdwdUTIY/ad/xFjS8UX+
Q6myUkLfBDnSQp2lMrDBYmrOBUacwMkFI4gJEyZpWA3RXAZloa8Mmopq8bHthgCN
OjMDf7JAsXNo7OP7n3TIe52XVKtaYpK6OVpZelCaY7huYv/5+oZdqk0A4+ij5RBl
4GukstJQcLSErYiyheesAeSBwXMfQch57uhiB/bUL5W5lRE34Ru6gAckTt7E/Uji
d9jAJ7K/ISCyp2qn9NDRtycCAwEAAaOCAcYwggHCMB8GA1UdIwQYMBaAFB4Fo3eP
bJbiW4dLprSGrHEADOc4MB0GA1UdDgQWBBSuuHX667Gw/EAO8dHJCvbWxYzPHTAO
BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwZwYDVR0gBGAwXjBSBgwrBgEEAa4jAQQDAQEwQjBABggrBgEF
BQcCARY0aHR0cHM6Ly93d3cuaW5jb21tb24ub3JnL2NlcnQvcmVwb3NpdG9yeS9j
cHNfc3NsLnBkZjAIBgZngQwBAgIwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL2Ny
bC5pbmNvbW1vbi1yc2Eub3JnL0luQ29tbW9uUlNBU2VydmVyQ0EuY3JsMHUGCCsG
AQUFBwEBBGkwZzA+BggrBgEFBQcwAoYyaHR0cDovL2NydC51c2VydHJ1c3QuY29t
L0luQ29tbW9uUlNBU2VydmVyQ0FfMi5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9v
Y3NwLnVzZXJ0cnVzdC5jb20wHQYDVR0RBBYwFIISc3ZuLmNhY3R1c2NvZGUub3Jn
MA0GCSqGSIb3DQEBCwUAA4IBAQA8RerhAuPvOngiT4cSmhtiFp+r+i4hXzKB3UwU
J3mjgrOQz3AxbmW1A9CyMEPAxtAhM1GdPmSR8T/KeGEE5/We5uVO1SvFpSA8BmsC
7vjirkNLVMlrIrDM89uUwJi5m/i7yupqhoxdReuuz4NP8PJqzOWSaU4uSvU98/Jq
1K5m4dsFdB+cW4EnO70Qv3Htl7AZUZHCNhRvbmtilQcAa+wTTYzBtJFiQ/GufDd8
DSMAa4icWq80UDdilikkt4IiMsFyEHJ0R6Jwppf3VnWD2Z+AtM5wEY6/Z4Loy0nn
G/yFK5/d8vXprdFI2D3kfEx7YyMldqUwsfeEmu8Lk5bd4zqN
-----END CERTIFICATE-----
subject=/C=US/postalCode=70803/ST=Louisiana/L=Baton Rouge/street=110 Thomas Boyd/O=Louisiana State University/OU=LSU A & M/CN=svn.cactuscode.org
issuer=/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 5565 bytes and written 445 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 02B9ECA6650E99DAB46E41D229C6B6317D5B6649DE5602AAACB85DDA3D4BCB7F
    Session-ID-ctx: 
    Master-Key: 6A79D044DE035A170C384CFFD2AD5B15B5691D518F04597E9A2BA9ED4A14CE93A18B0AB3D9CF65EC73A913FA7AC364EB
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1503529970
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

and only fail if tls1.2 is forced:

$ openssl s_client -connect svn.cactuscode.org:443 -tls1_2
CONNECTED(00000003)
47690330324936:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1503530008
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

Is there any chance of having LSU update their webserver so that it offer tls 1.2 (around since August 2008)?

Note that chances are that Ubuntu (which branches off from Debian unstable regularly) will pick up this change soon affecting the majority of our new Linux ET users.

For Debian this is a blocker since it prevents me from even downloading the code.

Keyword: SSL

Comments (6)

  1. Roland Haas reporter
    • removed comment

    Oddly enough: svn.cct.lsu.edu works fine. I would have assumed that svn.cactuscode.org and svn.cct.lsu.edu eventually point to the same server.

    $ openssl s_client -connect svn.cct.lsu.edu:443
    depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
    verify return:1
    depth=1 C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA
    verify return:1
    depth=0 C = US, postalCode = 70803, ST = Louisiana, L = Baton Rouge, street = 110 Thomas Boyd, O = Louisiana State University, OU = LSU A & M, CN = svn.cct.lsu.edu
    verify return:1
    CONNECTED(00000003)
    ---
    Certificate chain
     0 s:/C=US/postalCode=70803/ST=Louisiana/L=Baton Rouge/street=110 Thomas Boyd/O=Louisiana State University/OU=LSU A & M/CN=svn.cct.lsu.edu
       i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
     1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
       i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
     2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
       i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
     3 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
       i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIGezCCBWOgAwIBAgIRAJMak4/cvvLqoIwOhGVpLSQwDQYJKoZIhvcNAQELBQAw
    djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix
    EjAQBgNVBAoTCUludGVybmV0MjERMA8GA1UECxMISW5Db21tb24xHzAdBgNVBAMT
    FkluQ29tbW9uIFJTQSBTZXJ2ZXIgQ0EwHhcNMTUwNjA5MDAwMDAwWhcNMTgwNjI1
    MjM1OTU5WjCBtDELMAkGA1UEBhMCVVMxDjAMBgNVBBETBTcwODAzMRIwEAYDVQQI
    EwlMb3Vpc2lhbmExFDASBgNVBAcTC0JhdG9uIFJvdWdlMRgwFgYDVQQJEw8xMTAg
    VGhvbWFzIEJveWQxIzAhBgNVBAoTGkxvdWlzaWFuYSBTdGF0ZSBVbml2ZXJzaXR5
    MRIwEAYDVQQLDAlMU1UgQSAmIE0xGDAWBgNVBAMTD3N2bi5jY3QubHN1LmVkdTCC
    AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANFnkaT5JngRJ6IZhiwTqR87
    JKbSHgK0GtbCZqLj1wD1mSYwctGtncrpNDI/x+wLQxJJ8iNQyBPGXzS4yAQTB0rg
    9pYitDP8MYGtqkJ8b2QNNLlr6nMiRfAAKbDlARGj9gywqYH+wZO5x+H3Y8zR5pRQ
    INiMepwWzYg2BV7H6zHxCcigvvwgRPgWxvzzjubGpH4qMRutdGnnTBEAZKfqL31Z
    KbESFCvaUAugxtRSJ13J7AYIMwwTaL5jGpSah8lbPeU81R/TIW44s18kR3Gn7p62
    1vLrk0iwcvXggAztV2IWjOnkkYtiqiT7ERSjPMV9Ol1N8UcSoD3JsySx9VH2+B3i
    YCxQQc6usijfX6ld5v8rtCZG5pLi8qZUPZ7JmhdPd95nugEgIYtWRe8oaOytljd3
    1SmUJnRcb1qY3sAPKoDSxvLa+ZY5s14tVcsAycJg1rx4HPAnY21abiZZgdPN28KV
    leqaabdxAFKU9/X1Uk1HhUr6dvhvHPZAU3KksGggqPb7HCF8wEffpEeKO7aMN88y
    aXvT0nHPmpyqT4mPQeoWjT3Xdl1oKFvuEIjubQ1F7TMtBKz5qdJgHiojE3KYwP9d
    7lBA2MKjrmVsKx6boLgmXfXnZjK3Y2LCffpLYgEtm255SJ95HSQEGF8ePLjuElh2
    xafrF8fDwFA3v2glePoJAgMBAAGjggHDMIIBvzAfBgNVHSMEGDAWgBQeBaN3j2yW
    4luHS6a0hqxxAAznODAdBgNVHQ4EFgQUVvsvJpMnqcAQsrGqPZdkrNR4SoowDgYD
    VR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
    CCsGAQUFBwMCMGcGA1UdIARgMF4wUgYMKwYBBAGuIwEEAwEBMEIwQAYIKwYBBQUH
    AgEWNGh0dHBzOi8vd3d3LmluY29tbW9uLm9yZy9jZXJ0L3JlcG9zaXRvcnkvY3Bz
    X3NzbC5wZGYwCAYGZ4EMAQICMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwu
    aW5jb21tb24tcnNhLm9yZy9JbkNvbW1vblJTQVNlcnZlckNBLmNybDB1BggrBgEF
    BQcBAQRpMGcwPgYIKwYBBQUHMAKGMmh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9J
    bkNvbW1vblJTQVNlcnZlckNBXzIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2Nz
    cC51c2VydHJ1c3QuY29tMBoGA1UdEQQTMBGCD3N2bi5jY3QubHN1LmVkdTANBgkq
    hkiG9w0BAQsFAAOCAQEAmy0H1GJ4o/8EJf/r9K53SySwgCNiXAFkWEMxwzDif01q
    QoLuNEGw9Wl8qLYIaLkVZSWL9iuqLfCUxk0Kyn6O+M6IkHXmIaQ+29yWAD00u+5n
    T6b1kln6bDOm0lQsiHqg8YXRbg8rAqe7u0VC7x1WGF/ib+BA+rqCfTOtbd5tXy1w
    OFCljplQGdJEgpCidMNxBPjOzadiE6GdTo4/jHvndERtm8sSAF7r8MVxVRwqOHkz
    NHvB72hkna51ChwOm4dOHOEC+wTm1OxNyqCLJ0L++YrHD77IECaIJz3KV+kRNMuW
    tWLY8FU4KGko0oGGRYTmcTYjae7E2vObo1KNjRPvvw==
    -----END CERTIFICATE-----
    subject=/C=US/postalCode=70803/ST=Louisiana/L=Baton Rouge/street=110 Thomas Boyd/O=Louisiana State University/OU=LSU A & M/CN=svn.cct.lsu.edu
    issuer=/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 6030 bytes and written 750 bytes
    Verification: OK
    ---
    New, TLSv1.2, Cipher is AES128-GCM-SHA256
    Server public key is 4096 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : AES128-GCM-SHA256
        Session-ID: 1B0AAEDAEB06597622A980F48AE8E15F87BB43306C0D26E38D208AB507525F6C
        Session-ID-ctx: 
        Master-Key: AB6584F77DE40B391759B6E26B6320F61A77B41E22DFFA005E9146D4BEBEA5FCC692773C13F3ECC09F27394C279689FB
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - 8a 93 fa 3c 8f ab f1 6b-db 99 81 e4 7b aa 49 75   ...<...k....{.Iu
        0010 - 4a 7d ce d3 4e af da e1-53 71 82 d0 e0 a0 a5 3b   J}..N...Sq.....;
        0020 - bf f1 14 07 3a f9 58 75-f7 e3 94 2d 5b 77 c6 a9   ....:.Xu...-[w..
        0030 - ec 19 d5 79 5c 99 ed 6c-c1 7e c8 55 ba 5c 84 23   ...y\..l.~.U.\.#
        0040 - 47 0b fa bc 8b 1d bb a9-3d 90 d7 91 c8 0c 0a 80   G.......=.......
        0050 - 26 05 f7 97 96 58 69 25-a0 ef 77 82 12 00 d4 35   &....Xi%..w....5
        0060 - 7a c4 9a 9c 46 f6 fd 9a-ce cf e6 29 91 d9 f1 fb   z...F......)....
        0070 - 45 ce b9 fd 38 e6 05 f6-f3 11 1a 1c 59 a0 a5 dd   E...8.......Y...
        0080 - f4 26 5c f6 65 b8 1e 4c-7c f0 43 3f 19 15 67 95   .&\.e..L|.C?..g.
        0090 - cd fa e6 a1 41 64 9a a7-e1 b9 5e 97 d4 78 66 ee   ....Ad....^..xf.
        00a0 - d1 0e 58 61 55 e8 a5 d7-8b 23 3d cd cf f6 f5 78   ..XaU....#=....x
        00b0 - b2 9d 92 bb 16 c4 de 47-f8 eb e2 60 4c b0 e4 82   .......G...`L...
    
        Start Time: 1503956011
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no
    ---
    DONE
    
  2. Frank Löffler
    • changed status to open
    • marked as
    • assigned issue to
    • removed comment

    For Debian this is a blocker since it prevents me from even downloading the code.

    To be fair, Debian Buster is the development version of Debian, not the stable version (reducing priority due to that, at least for the moment). But yes, this should be upgraded. The server is still on Redhat Tikanga 5.11, which is the main reason for the age of the tls used.

    I've opened a ticket with IT support to have the machines OS upgraded. Steve is on CC for that. Also assigning to him.

  3. Roland Haas reporter
    • changed status to open
    • removed comment

    This is occurring again.

    Trying to access svn.cactuscode.org from my Debian box (buster) fails with:

    openssl s_client -connect svn.cactuscode.org:443
    CONNECTED(00000005)
    140630053196224:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1907:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 86 bytes and written 317 bytes
    Verification: OK
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 0 (ok)
    ---
    

    and on a machine that would work with that command line, this one:

    openssl s_client -no_tls1 -connect svn.cactuscode.org:443
    

    fails. Indicating that the server only supports tls1.

    Since Frank had had this fixed more than a year ago, I wonder why this is happening again.

  4. Roland Haas reporter

    This is really very annoying. The server also hosts the www repository behind https://cactuscode.org and right now, in order to fix typos in the posted Turing release date I noticed, I had to spin up a Debian Jessie VM just to get an old enough OpenSSL that will still talk to the ancient SSL library on svn.cactuscode.org.

    #2387 would at least take care of the most often updated repo.

  5. Log in to comment