Bug ID 1226399
Summary Fix: svn client broken in LEAP 15.6 due kTLS and libserf interaction
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.6
Hardware x86-64
OS Other
Status NEW
Severity Critical
Priority P5 - None
Component Development
Assignee screening-team-bugs@suse.de
Reporter hpaluch@seznam.cz
QA Contact qa-bugs@suse.de
Target Milestone ---
Found By ---
Blocker --- 

Created attachment 875504 [details]
Disable kTLS in BIO_ctrl

Svn in LEAP 15.6 is unable to access any https SVN server (it loops forever)
while same SVN client works without issues in LEAP 15.5

How to reproduce:

1. Bug occurs only in LEAP 15.6 (works properly in LEAP 15.5)
2. install SVN:

zypper in subversion
rpm -q subversion libserf-1-1

  subversion-1.14.1-150400.3.8.x86_64
  libserf-1-1-1.3.9-150600.18.3.2.x86_64


3. Try to connect to any https server:

svn info https://svn.apache.org/repos/asf/serf/trunk

4. It will loop forever

The problem is caused by OpenSSL's Kernel TLS (kTLS) interaction with libserf
(libserf is used as layer between svn and OpenSSL)

There is terse description of this problem (even mentioning libserf) here:
https://github.com/openssl/openssl/issues/14595#issuecomment-801969560

> The only buggy BIO types I know about are in Apache serf
> and Apache ssl_engine_io.c, but I also haven't been on
> the front lines for this. T

Tracing shows that unpatched libserf sends invalid TLS data (missing initial 5
byte record when compared to working version) - because OpenSSL expects that
data will be generated by kernel kTLS. So TLS server immediately closes
connection as invalid TLS communication.

How to fix:

1. You will need provided patch serf-disable-ktls.patch
2. install and unpack libserf source:

zypper si libserf
rpmbuild -bp rpmbuild -bp /usr/src/packages/SPECS/libserf.spec

3. Now apply provided patch:

cd /usr/src/packages/BUILD
patch -p0 < ../SOURCES/serf-disable-ktls.patch

4. Do short-circuit build (to avoid overwrite of fixed sources)

rpmbuild -bc --short-circuit /usr/src/packages/SPECS/libserf.spec

5. Test svn with patched libsef, now shoud work properly

LD_LIBRARY_PATH=/usr/src/packages/BUILD/serf-1.3.9 svn info
https://svn.apache.org/repos/asf/serf/trunk
Path: trunk
URL: https://svn.apache.org/repos/asf/serf/trunk
Relative URL: ^/serf/trunk
Repository Root: https://svn.apache.org/repos/asf
Repository UUID: 13f79535-47bb-0310-9956-ffa450edef68
Revision: 1918360
Node Kind: directory
Last Changed Author: kotkov
Last Changed Rev: 1910150
Last Changed Date: 2023-05-31 20:36:21 +0200 (Wed, 31 May 2023)

You are receiving this mail because: