SSL negotiation failed with svn

Question

I am running a server that accepts https requests. I have generated my own certificate. When going to the site in firefox I get the unknown certificate error, but that's fine. This (I think) indicates that port forwarding and such works.

I am trying to use svn with this. When using svn on the server (but using the external ip) it works. Again I get the certificate is unknown, but I don't care.

When using svn on mac OS X I get

SSL negotiation failed: SSL error code -1/1/336032856

I've found several posts on google about this, but they all say it's a bug with openssl version 0.9.8, and that using something higher should fix it.

I am currently using openssl 1.0.0c. I have no idea what's going wrong. I also checked the error log in httpd and nothing comes up.

Any ideas on this would really help.

Thanks

Answer 1

Upgrading from SVN 1.6.15 to 1.6.16 fix this issue for me.

Answer 2

I received the same error message when my Apache configuration was wrong - my ServerName parameter in httpd.conf did not match hostname in the self-signed certificate.

Answer 3

I started getting this error from older subversion clients (Tortoise 1.6.4 i think, and pysvn r1280) when our svn server had its Apache instance upgraded. It went from using OpenSSL 0.9.8n to 1.0.0d.

Tortoise got fixed by upgrading to 1.6.16 (uses OpenSSL 1.0.0d).

Fixing pysvn was a different story. The latest version (r1360) came bac kwith the same error. There didn't seem to be much info around apart from hints that OpenSLL might need upgrading. I tried copying in different versions of OpenSSL (libeay32.dll and ssleay32.dll) and here are the results:

• 0.9.8j (the existing DLL version, bundled with pysvn r1280) FAIL
• 0.9.8o (bundled with the latest pysvn, r1360) FAIL
• 0.9.8r (the latest in the 0.9.8 series) FAIL
• 1.0.0* (the 1.0 series is not binary compatible with pysvn) FAIL
• 0.9.8L (nabbed from CollabNet SVN 1.6.9 command line client) SUCCESS!

So whatever they fixed in release L got broken again soon after, or there's something special about CollabNet's OpenSSL binaries.

Answer 4

In my case it started happening after some certificates changes on the server side. I tried deleting the .subversion/ dir, updating openssl, openssh, svn, and nothing...

It got finally fixed when I replaced the url host name with the ip address of that host. In existing working copies was enough with:

svn  switch  --relocate http://hostname.com https://ipaddress

Not sure if this is a bug or what, but it seems that the new certificates are not recognized and keeps using the old cached ones for a given host name.