Bug 439601

Summary: Neon compiled using GnuTLS library makes subversion fail
Product: [Fedora] Fedora Reporter: Lorenzo Villani <lorenzo>
Component: neonAssignee: Joe Orton <jorton>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-29 22:15:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lorenzo Villani 2008-03-29 14:49:19 UTC 
Description of problem:
It seems that on rawhide the neon library (most notably used in subversion) is
linked through GnuTLS library for SSL support.
This library seems to be the cause of errors like:

svn: PROPFIND request failed on '/home/kde/trunk/KDE/kdelibs'
svn: PROPFIND of '/home/kde/trunk/KDE/kdelibs': SSL negotiation failed:
SSL alert received: Handshake failed (https://svn.kde.org)

Re-building neon using OpenSSL instead of GnuTLS solved the problem.

Reference to Gentoo Bugzilla bug id: http://bugs.gentoo.org/show_bug.cgi?id=148306

Version-Release number of selected component: 0.28.1-2


How reproducible:
On rawhide use Subversion client linked against neon + GnuTLS to checkout a copy
of any of KDE modules. It will probably fail with the error above.
Comment 1 Joe Orton 2008-03-29 21:23:05 UTC 
Can you give the exact https:// URL used to reproduce this?
Comment 2 Joe Orton 2008-03-29 21:56:55 UTC 
Never mind, I can reproduce it.

The problem seems to be that the SSL server at svn.kde.org is requiring use of
an (insecure) DES cipher.  I'll try to chase this up with the server administrators.
Comment 3 Joe Orton 2008-03-29 22:15:41 UTC 
I've mailed the KDE webmaster team, they can fix this on the server. 

GnuTLS doesn't support DES ciphersuites because DES is known to be broken, see
http://www.ietf.org/internet-drafts/draft-ietf-tls-des-idea-01.txt

Any mod_ssl install requiring use of a DES ciphersuite has undoubtedly been
misconfigured, and should be fixed.  Allowing use of insecure ciphersuites is
simply not desirable; so I'm WONTFIXing this bug.  I'll add a note here with
feedback from the KDE guys.
Comment 4 Joe Orton 2008-03-29 22:17:53 UTC 
I meant to also say: thanks a lot for reporting the bug, in any case!

No thanks to the Gentoo guys for discovering this 18 months ago and doing
nothing about it :(
Comment 5 Lorenzo Villani 2008-03-30 00:30:37 UTC 
I really hope they'll fix this issue soon. In the meanwhile can you provide a
package compiled using OpenSSL as a work-around? (And remove it as soon as they
fix their server configuration)
Comment 6 Joe Orton 2008-03-31 09:08:43 UTC 
You should be able to downgrade to the F8 package.

http://koji.fedoraproject.org/koji/buildinfo?buildID=19535
Comment 7 Joe Orton 2008-04-10 14:24:22 UTC 
The KDE guys have now fixed their server; can you verify with the Raw Hide svn?
(I'm away from my normal test box at the moment)
Comment 8 Lorenzo Villani 2008-04-10 17:47:44 UTC 
I tested it on my rawhide image inside VirtualBox and asked a friend to do the
same test on his rawhide box and it seems that everything is fine.