https://bugzilla.suse.com/show_bug.cgi?id=1226399 Bug ID: 1226399 Summary: Fix: svn client broken in LEAP 15.6 due kTLS and libserf interaction Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: x86-64 OS: Other Status: NEW Severity: Critical Priority: P5 - None Component: Development Assignee: screening-team-bugs@suse.de Reporter: hpaluch@seznam.cz QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Created attachment 875504 --> https://bugzilla.suse.com/attachment.cgi?id=875504&action=edit Disable kTLS in BIO_ctrl Svn in LEAP 15.6 is unable to access any https SVN server (it loops forever) while same SVN client works without issues in LEAP 15.5 How to reproduce: 1. Bug occurs only in LEAP 15.6 (works properly in LEAP 15.5) 2. install SVN: zypper in subversion rpm -q subversion libserf-1-1 subversion-1.14.1-150400.3.8.x86_64 libserf-1-1-1.3.9-150600.18.3.2.x86_64 3. Try to connect to any https server: svn info https://svn.apache.org/repos/asf/serf/trunk 4. It will loop forever The problem is caused by OpenSSL's Kernel TLS (kTLS) interaction with libserf (libserf is used as layer between svn and OpenSSL) There is terse description of this problem (even mentioning libserf) here: https://github.com/openssl/openssl/issues/14595#issuecomment-801969560
The only buggy BIO types I know about are in Apache serf and Apache ssl_engine_io.c, but I also haven't been on the front lines for this. T
Tracing shows that unpatched libserf sends invalid TLS data (missing initial 5 byte record when compared to working version) - because OpenSSL expects that data will be generated by kernel kTLS. So TLS server immediately closes connection as invalid TLS communication. How to fix: 1. You will need provided patch serf-disable-ktls.patch 2. install and unpack libserf source: zypper si libserf rpmbuild -bp rpmbuild -bp /usr/src/packages/SPECS/libserf.spec 3. Now apply provided patch: cd /usr/src/packages/BUILD patch -p0 < ../SOURCES/serf-disable-ktls.patch 4. Do short-circuit build (to avoid overwrite of fixed sources) rpmbuild -bc --short-circuit /usr/src/packages/SPECS/libserf.spec 5. Test svn with patched libsef, now shoud work properly LD_LIBRARY_PATH=/usr/src/packages/BUILD/serf-1.3.9 svn info https://svn.apache.org/repos/asf/serf/trunk Path: trunk URL: https://svn.apache.org/repos/asf/serf/trunk Relative URL: ^/serf/trunk Repository Root: https://svn.apache.org/repos/asf Repository UUID: 13f79535-47bb-0310-9956-ffa450edef68 Revision: 1918360 Node Kind: directory Last Changed Author: kotkov Last Changed Rev: 1910150 Last Changed Date: 2023-05-31 20:36:21 +0200 (Wed, 31 May 2023) -- You are receiving this mail because: You are on the CC list for the bug.