Context Navigation

Back to Ticket #67931

Ticket #67931: Re_ Subversion sasl authentication fails with openssl3.1 - Michael Fischer <michael.fischer@yale.edu> - 2023-08-27 1628.eml

File Re_ Subversion sasl authentication fails with openssl3.1 - Michael Fischer <michael.fischer@yale.edu> - 2023-08-27 1628.eml, 17.9 KB (added by MichaelJFischer, 13 months ago)
Correspondence with subversion developer

Line
1	Content-Type: multipart/alternative;
2	boundary="------------88r39cPU0W00kc0b7dxFagps"
3	Message-ID: <cfabfce4-6cae-3486-3e3d-b8b471432fdb@yale.edu>
4	Date: Sun, 27 Aug 2023 16:28:00 -0400
5	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0)
6	Gecko/20100101 Thunderbird/102.14.0
7	Subject: Re: Subversion sasl authentication fails with openssl3.1
8	Content-Language: en-US
9	To: Daniel Sahlberg <daniel.l.sahlberg@gmail.com>
10	Cc: "users@subversion.apache.org" <users@subversion.apache.org>,
11	"macports-dev@lists.macports.org" <macports-dev@lists.macports.org>
12	References: <5d19a848-dbc1-8656-e0d1-c1d9440d4f65@yale.edu>
13	<CAMHy98P8eNQu8eXS0RDC5Jp4-NSAqbRhzxg4pmNDa_wUGMqphA@mail.gmail.com>
14	From: Michael Fischer <michael.fischer@yale.edu>
15	In-Reply-To: <CAMHy98P8eNQu8eXS0RDC5Jp4-NSAqbRhzxg4pmNDa_wUGMqphA@mail.gmail.com>
16	MIME-Version: 1.0
17
18	--------------88r39cPU0W00kc0b7dxFagps
19	Content-Type: text/plain; charset=UTF-8; format=flowed
20	Content-Transfer-Encoding: 8bit
21
22	Dear Daniel,
23
24	Thank you for the careful reply. Some answers are interspersed below.
25
26	On 8/22/23 7:40 AM, Daniel Sahlberg wrote:
27	> Den sön 20 aug. 2023 kl 17:14 skrev Fischer, Michael
28	> <michael.fischer@yale.edu>:
29	>
30	> I have many repositories configured for sasl authentication. The
31	> svn client for Mac osx, built using MacPorts, recently stopped
32	> working. I first reported the problem to the MacPorts bug list
33	> but have been advised to report it to the subversion developers.
34	> (See below.)
35	>
36	> Here's the error I get when trying to update a working directory.
37	>
38	> > svn update
39	> Updating '.':
40	> svn: E170013: Unable to connect to a repository at URL
41	> 'svn://ohia.cs.yale.edu/cs414-2022f'
42	> svn: E170001: SASL authentication error: SASL(-1): generic
43	> failure: internal error: failed to init cipher 'rc4'
44	>
45	> What is the version of Subversion on the above server? What version of
46	> Sasl and OpenSSL?
47	subversion: 1.14.2
48	cyrus-sasl: 2.1.28
49	GNU sasl library (libgsasl): 1.10.0
50	OpenSSL: 3.09; also 1.1.1q
51
52	The server is running Fedora 38 linux. I don't know which sasl library
53	the server is actually linked to, but the server works find with all
54	clients except for the MacPorts one.
55	>
56	> The problem seems to be that Sasl3.1 is not upwards compatible
57	> with sasl2.
58	>
59	>
60	> Are you confusing Sasl with OpenSSL here? I believe Sasl is only on
61	> version 2.1 while OpenSSL recently released versions 3.0 and 3.1
62	> (there never was an OpenSSL 2.x).
63	Yes, I'm afraid so. 😅
64	I believe MacPorts is linking to openssl3, which is why my workaround
65	(below) fixes the problem.
66	>
67	> This causes the Macports build of svn to fail when attempting to
68	> log into a server configured to use_sasl. A workaround is to
69	> rebuild the openssl3 port with the command
70	>
71	> sudo port upgrade --enforce-variants openssl3 +legacy
72	>
73	> I'm guessing, based on the "+legacy" argument, that the server you try
74	> to connect to is using RC4 and since this is deprecated in OpenSSL 3
75	> (see
76	> https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html
77	> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman7%2FOSSL_PROVIDER-legacy.html&data=05%7C01%7Cmichael.fischer%40yale.edu%7C9a90417947044fd239c108dba304912b%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C638283012293627329%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hYDWfiiN2Ba3ADHKyteHSe23acOsRppdckHFOyP51Wk%3D&reserved=0>)
78	> you are unable to connect.
79	>
80	> If this assumption is correct, then this is neither a bug in
81	> Subversion, nor in Sasl or OpenSSL. Rather it is a case of mismatching
82	> configuration and software versions between the server and the client.
83	> Updating the server to support newer chiphers should probably resolve
84	> the situation.
85	I think you are correct in your analysis of why the MacPorts client
86	fails to connect without the "+legacy" argument.
87	>
88	> I reported this as MacPorts bug #67931
89	> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftrac.macports.org%2Fticket%2F67931&data=05%7C01%7Cmichael.fischer%40yale.edu%7C9a90417947044fd239c108dba304912b%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C638283012293627329%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BlE0O8GrVN1LfkcZ1nWJEUmCjTW9iTMH9%2B9jj%2FaBN2g%3D&reserved=0>.
90	> A comment by ryandesign said,
91	>
92	> A port "can't" depend on a variant of another port (see
93	> #126). It can use
94	> the active_variants 1.1 portgroup, but that requires manual
95	> intervention
96	> from the user, and prevents the buildbot from automatically
97	> creating
98	> binary archives of the port.
99	>
100	> Have you reported this problem to the developers of
101	> Subversion? If not,
102	> please do, and put the URL of the report here.
103	>
104	> I am attempting to do so here. Apparently the email is required
105	> before I can make a bug report.
106	>
107	> Please let me know how to proceed with the bug report.
108	>
109	>
110	> You've done absolutely correct in sending an e-mail here. I assume you
111	> have already seen the guidance on the website
112	> (https://subversion.apache.org/docs/community-guide/issues.html
113	> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsubversion.apache.org%2Fdocs%2Fcommunity-guide%2Fissues.html&data=05%7C01%7Cmichael.fischer%40yale.edu%7C9a90417947044fd239c108dba304912b%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C638283012293627329%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5OYB0Up6PTjR%2FKylxFgnrkHpwpHPW5cMZyKzN8%2F8WPw%3D&reserved=0>)
114	> on why we don't want anything added to the issue tracker before it has
115	> been accepted as a bug on the mailing list.
116	>
117	> Kind regards,
118	> Daniel Sahlberg
119	You've convinced me that this is not a subversion problem but rather one
120	of attempting to build it against the openssl3 library rather than
121	against the cyrus-sasl2 library. This would seem to be a problem with
122	the MacPorts build script attempting to use the wrong library for
123	subversion. MacPorts does know about cyrus-sasl2 (and in fact it is
124	installed on my node). Unfortunately, I do not know enough about how
125	MacPorts works to suggest the fix, but I think it is clear now what
126	needs to be done.
127
128	Thank you once again for your help and for the effort you put into
129	addressing my concerns.
130
131	Best regards,
132	--Mike
133
134	--
135	===============================================
136	\| Michael Fischer<michael.fischer@yale.edu> \|
137	\| Professor of Computer Science \|
138	===============================================
139
140	--------------88r39cPU0W00kc0b7dxFagps
141	Content-Type: text/html; charset=UTF-8
142	Content-Transfer-Encoding: 8bit
143
144	<html><head>
145	<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
146	</head>
147	<body>
148	Dear Daniel,<br>
149	<br>
150	Thank you for the careful reply.  Some answers are interspersed
151	below.<br>
152	<br>
153	<div class="moz-cite-prefix">On 8/22/23 7:40 AM, Daniel Sahlberg
154	wrote:<br>
155	</div>
156	<blockquote type="cite" cite="mid:CAMHy98P8eNQu8eXS0RDC5Jp4-NSAqbRhzxg4pmNDa_wUGMqphA@mail.gmail.com">
157
158	<div dir="ltr">
159	<div dir="ltr">
160	<div dir="ltr">
161	<div dir="ltr">Den sön 20 aug. 2023 kl 17:14 skrev Fischer,
162	Michael <<a href="mailto:michael.fischer@yale.edu" target="_blank" moz-do-not-send="true" class="moz-txt-link-freetext">michael.fischer@yale.edu</a>>:<br>
163	</div>
164	<div class="gmail_quote">
165	<blockquote class="gmail_quote" style="margin:0px 0px 0px
166	0.8ex;border-left:1px solid
167	rgb(204,204,204);padding-left:1ex">
168	<div>
169	I have many repositories configured for sasl
170	authentication.  The svn client for Mac osx, built
171	using MacPorts, recently stopped working.  I first
172	reported the problem to the MacPorts bug list but have
173	been advised to report it to the subversion
174	developers.  (See below.)<br>
175	<br>
176	Here's the error I get when trying to update a working
177	directory.<br>
178	<blockquote><font face="monospace">> svn update<br>
179	Updating '.':<br>
180	svn: E170013: Unable to connect to a repository at
181	URL '<a moz-do-not-send="true">svn://ohia.cs.yale.edu/cs414-2022f</a>'<br>
182	svn: E170001: SASL authentication error: SASL(-1):
183	generic failure: internal error: failed to init
184	cipher 'rc4'</font></blockquote>
185	</div>
186	</blockquote>
187	<div>What is the version of Subversion on the above
188	server? What version of Sasl and OpenSSL?<br>
189	</div>
190	</div>
191	</div>
192	</div>
193	</div>
194	</blockquote>
195	subversion:  1.14.2<br>
196	cyrus-sasl: 2.1.28<br>
197	GNU sasl library (libgsasl): 1.10.0<br>
198	OpenSSL: 3.09; also 1.1.1q<br>
199	<br>
200	The server is running Fedora 38 linux.  I don't know which sasl
201	library the server is actually linked to, but the server works find
202	with all clients except for the MacPorts one.<br>
203	<blockquote type="cite" cite="mid:CAMHy98P8eNQu8eXS0RDC5Jp4-NSAqbRhzxg4pmNDa_wUGMqphA@mail.gmail.com">
204	<div dir="ltr">
205	<div dir="ltr">
206	<div dir="ltr">
207	<div class="gmail_quote">
208	<blockquote class="gmail_quote" style="margin:0px 0px 0px
209	0.8ex;border-left:1px solid
210	rgb(204,204,204);padding-left:1ex">
211	<div>
212	The problem seems to be that Sasl3.1 is not upwards
213	compatible with sasl2.   </div>
214	</blockquote>
215	<div><br>
216	</div>
217	<div>Are you confusing Sasl with OpenSSL here? I believe
218	Sasl is only on version 2.1 while OpenSSL recently
219	released versions 3.0 and 3.1 (there never was an
220	OpenSSL 2.x).</div>
221	</div>
222	</div>
223	</div>
224	</div>
225	</blockquote>
226	Yes, I'm afraid so.  😅<br>
227	I believe MacPorts is linking to openssl3, which is why my
228	workaround (below) fixes the problem.<br>
229	<blockquote type="cite" cite="mid:CAMHy98P8eNQu8eXS0RDC5Jp4-NSAqbRhzxg4pmNDa_wUGMqphA@mail.gmail.com">
230	<div dir="ltr">
231	<div dir="ltr">
232	<div dir="ltr">
233	<div class="gmail_quote">
234	<blockquote class="gmail_quote" style="margin:0px 0px 0px
235	0.8ex;border-left:1px solid
236	rgb(204,204,204);padding-left:1ex">
237	<div>This causes the Macports build of svn to fail when
238	attempting to log into a server configured to
239	use_sasl.  A workaround is to rebuild the openssl3
240	port with the command<br>
241	<blockquote>
242	<pre>sudo port upgrade --enforce-variants openssl3 +legacy</pre>
243	</blockquote>
244	</div>
245	</blockquote>
246	<div>I'm guessing, based on the "+legacy" argument, that
247	the server you try to connect to is using RC4 and since
248	this is deprecated in OpenSSL 3 (see <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.openssl.org%2Fdocs%2Fman3.0%2Fman7%2FOSSL_PROVIDER-legacy.html&data=05%7C01%7Cmichael.fischer%40yale.edu%7C9a90417947044fd239c108dba304912b%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C638283012293627329%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=hYDWfiiN2Ba3ADHKyteHSe23acOsRppdckHFOyP51Wk%3D&reserved=0" originalsrc="https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html" shash="wXK6W+3aXAS7rAOdvNeo9YTTPByDwPB3gk4kkPlbV2jMmbAr5ozn3iBeDrBxk5XfNNKSAUFWxDfSYcw/YVKyVxdmSG4higlod2f3ozDBksh1XuCZQlbWMxsK46dNXXKNn5FC58xiHghqLEeL+PR/VhdYzP3mBtIJuW2OlYkepaM=" moz-do-not-send="true">https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html</a>)
249	you are unable to connect.</div>
250	<div><br>
251	</div>
252	<div>If this assumption is correct, then this is neither a
253	bug in Subversion, nor in Sasl or OpenSSL. Rather it is
254	a case of mismatching configuration and software
255	versions between the server and the client. Updating the
256	server to support newer chiphers should probably resolve
257	the situation.</div>
258	</div>
259	</div>
260	</div>
261	</div>
262	</blockquote>
263	I think you are correct in your analysis of why the MacPorts client
264	fails to connect without the "+legacy" argument.<br>
265	<blockquote type="cite" cite="mid:CAMHy98P8eNQu8eXS0RDC5Jp4-NSAqbRhzxg4pmNDa_wUGMqphA@mail.gmail.com">
266	<div dir="ltr">
267	<div dir="ltr">
268	<div dir="ltr">
269	<div class="gmail_quote">
270	<blockquote class="gmail_quote" style="margin:0px 0px 0px
271	0.8ex;border-left:1px solid
272	rgb(204,204,204);padding-left:1ex">
273	<div>
274	<blockquote>
275	</blockquote>
276	I reported this as MacPorts bug <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftrac.macports.org%2Fticket%2F67931&data=05%7C01%7Cmichael.fischer%40yale.edu%7C9a90417947044fd239c108dba304912b%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C638283012293627329%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BlE0O8GrVN1LfkcZ1nWJEUmCjTW9iTMH9%2B9jj%2FaBN2g%3D&reserved=0" originalsrc="https://trac.macports.org/ticket/67931" shash="fveHhXoY3WuwPnUlT/3erPuzuF0je1oRioA8VYa0wX0/2MGKylgNPD96hGCIH1bxAke/0QJl9yFIMoz3CzSuUqyRVC09BsNflJ7eZNd9z/P4crv3DPFS90MAVwYE5zyglufREAJez+TEesyu6NDqwk74vIuplYfb5q6VNoTap48=" target="_blank" moz-do-not-send="true">
277	#67931</a>.  A comment by ryandesign said,<br>
278	<blockquote> A port "can't" depend on a variant of
279	another port (see #126). It can use<br>
280	the active_variants 1.1 portgroup, but that
281	requires manual intervention<br>
282	from the user, and prevents the buildbot from
283	automatically creating<br>
284	binary archives of the port.<br>
285	<br>
286	Have you reported this problem to the developers of
287	Subversion? If not,<br>
288	please do, and put the URL of the report here.<br>
289	</blockquote>
290	I am attempting to do so here.  Apparently the email
291	is required before I can make a bug report.<br>
292	<br>
293	Please let me know how to proceed with the bug report.<br>
294	</div>
295	</blockquote>
296	<div><br>
297	</div>
298	<div>You've done absolutely correct in sending an e-mail
299	here. I assume you have already seen the guidance on the
300	website (<a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsubversion.apache.org%2Fdocs%2Fcommunity-guide%2Fissues.html&data=05%7C01%7Cmichael.fischer%40yale.edu%7C9a90417947044fd239c108dba304912b%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C638283012293627329%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5OYB0Up6PTjR%2FKylxFgnrkHpwpHPW5cMZyKzN8%2F8WPw%3D&reserved=0" originalsrc="https://subversion.apache.org/docs/community-guide/issues.html" shash="ecBkVR+PcbRLr9tNW1hKN/5Z6QosNUNDYaze06O2JRB0tLp/othPYcpD/+Q1BeX0hIGmdJ9EqassCe5ca4zbuFWWSbWniUBMz8jCY0n1HBUncaA+uvlEqXx+y8+nlW46O6x/UUcgigqFvoNRjEki1edNIUmEbiFavH1fGyiaO+4=" moz-do-not-send="true">https://subversion.apache.org/docs/community-guide/issues.html</a>)
301	on why we don't want anything added to the issue tracker
302	before it has been accepted as a bug on the mailing
303	list.</div>
304	<div><br>
305	</div>
306	<div>Kind regards,</div>
307	<div>Daniel Sahlberg</div>
308	</div>
309	</div>
310	</div>
311	</div>
312	</blockquote>
313	You've convinced me that this is not a subversion problem but rather
314	one of attempting to build it against the openssl3 library rather
315	than against the cyrus-sasl2 library.  This would seem to be a
316	problem with the MacPorts build script attempting to use the wrong
317	library for subversion.  MacPorts does know about cyrus-sasl2 (and
318	in fact it is installed on my node).  Unfortunately, I do not know
319	enough about how MacPorts works to suggest the fix, but I think it
320	is clear now what needs to be done.<br>
321	<br>
322	Thank you once again for your help and for the effort you put into
323	addressing my concerns.<br>
324	<br>
325	Best regards,<br>
326	--Mike<br>
327	<pre class="moz-signature" cols="72">--
328	===============================================
329	\| Michael Fischer <a class="moz-txt-link-rfc2396E" href="mailto:michael.fischer@yale.edu"><michael.fischer@yale.edu></a> \|
330	\| Professor of Computer Science \|
331	===============================================
332	</pre>
333	</body>
334	</html>
335
336	--------------88r39cPU0W00kc0b7dxFagps--

Download in other formats:

Original Format