Bug 439601 - Neon compiled using GnuTLS library makes subversion fail
Neon compiled using GnuTLS library makes subversion fail
Product: Fedora
Classification: Fedora
Component: neon (Show other bugs)
i386 Linux
low Severity high
: ---
: ---
Assigned To: Joe Orton
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-03-29 10:49 EDT by Lorenzo Villani
Modified: 2008-04-10 13:47 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-03-29 18:15:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Lorenzo Villani 2008-03-29 10:49:19 EDT
Description of problem:
It seems that on rawhide the neon library (most notably used in subversion) is
linked through GnuTLS library for SSL support.
This library seems to be the cause of errors like:

svn: PROPFIND request failed on '/home/kde/trunk/KDE/kdelibs'
svn: PROPFIND of '/home/kde/trunk/KDE/kdelibs': SSL negotiation failed:
SSL alert received: Handshake failed (https://svn.kde.org)

Re-building neon using OpenSSL instead of GnuTLS solved the problem.

Reference to Gentoo Bugzilla bug id: http://bugs.gentoo.org/show_bug.cgi?id=148306

Version-Release number of selected component: 0.28.1-2

How reproducible:
On rawhide use Subversion client linked against neon + GnuTLS to checkout a copy
of any of KDE modules. It will probably fail with the error above.
Comment 1 Joe Orton 2008-03-29 17:23:05 EDT
Can you give the exact https:// URL used to reproduce this?
Comment 2 Joe Orton 2008-03-29 17:56:55 EDT
Never mind, I can reproduce it.

The problem seems to be that the SSL server at svn.kde.org is requiring use of
an (insecure) DES cipher.  I'll try to chase this up with the server administrators.
Comment 3 Joe Orton 2008-03-29 18:15:41 EDT
I've mailed the KDE webmaster team, they can fix this on the server. 

GnuTLS doesn't support DES ciphersuites because DES is known to be broken, see

Any mod_ssl install requiring use of a DES ciphersuite has undoubtedly been
misconfigured, and should be fixed.  Allowing use of insecure ciphersuites is
simply not desirable; so I'm WONTFIXing this bug.  I'll add a note here with
feedback from the KDE guys.
Comment 4 Joe Orton 2008-03-29 18:17:53 EDT
I meant to also say: thanks a lot for reporting the bug, in any case!

No thanks to the Gentoo guys for discovering this 18 months ago and doing
nothing about it :(
Comment 5 Lorenzo Villani 2008-03-29 20:30:37 EDT
I really hope they'll fix this issue soon. In the meanwhile can you provide a
package compiled using OpenSSL as a work-around? (And remove it as soon as they
fix their server configuration)
Comment 6 Joe Orton 2008-03-31 05:08:43 EDT
You should be able to downgrade to the F8 package.

Comment 7 Joe Orton 2008-04-10 10:24:22 EDT
The KDE guys have now fixed their server; can you verify with the Raw Hide svn?
(I'm away from my normal test box at the moment)
Comment 8 Lorenzo Villani 2008-04-10 13:47:44 EDT
I tested it on my rawhide image inside VirtualBox and asked a friend to do the
same test on his rawhide box and it seems that everything is fine.

Note You need to log in before you can comment on or make changes to this bug.