7

I am getting this error while checking out.

svn: E170013: Unable to connect to a repository at URL 'https://some.host/some/repo/'
svn: E120171: Error running context: An error occurred during SSL communication

$svn --version

svn, version 1.10.4 (r1850624)
   compiled Jul 28 2019, 02:44:06 on x86_64-pc-linux-gnu

Copyright (C) 2019 The Apache Software Foundation.
This software consists of contributions made by many people;
see the NOTICE file for more information.
Subversion is open source software, see http://subversion.apache.org/

The following repository access (RA) modules are available:

* ra_svn : Module for accessing a repository using the svn network protocol.
  - with Cyrus SASL authentication
  - handles 'svn' scheme
* ra_local : Module for accessing a repository on local disk.
  - handles 'file' scheme
* ra_serf : Module for accessing a repository via WebDAV protocol using serf.
  - using serf 1.3.9 (compiled with 1.3.9)
  - handles 'http' scheme
  - handles 'https' scheme

The following authentication credential caches are available:

* Plaintext cache in /home/kusan/.subversion
* Gnome Keyring
* GPG-Agent
* KWallet (KDE)

Please help me solve this problem. I am on a fresh install of Debian 10. In Debian 9 it worked fine. Thanks in advance.

Improve this question

6 Answers 6

Reset to default
12

You may have run into this error because the minimum version of TLS defaults to higher than that used by the Subversion server.

Your choices are to upgrade your Subversion server's version of TLS if you own the server, or change your Subversion repository provider if you pay for one.

If these two options are not available to you (for example, you are checking out someone else's project, or you're working on a job that requires you to check out a client's from their server), then you can choose to downgrade the minimum version of TLS that SSL uses. You should note that this incurs some security risk, as TLS 1.0 is 20 years old and is now deprecated.

With that warning in mind, you can alter your SSL conf file. You can find where this file is located on your system by typing

openssl version -d

You will need the correct permissions to edit the file.

[I like to make a back up of any conf file before editing it so you can easily regress if necessary]

Add to the top of the file:

openssl_conf = default_conf

At the end of the file, add the following:

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = ssl_default_sect

[ssl_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT:@SECLEVEL=1

This is saying that TLS version 1.0 is the minimum acceptable. If version 1.1 is acceptable, change TLSv1 to TLSv1.1

Improve this answer
1
  • Hi @Madeleine Although it is late and although I had figured it out myself already, thanks a lot for the reply. Yes, you are absolutely right in diagnosing the problem. The SVN server was 8 years old and Apache was using ancient version on TLS. When we upgraded to Debian 10 at our workplace, svn client was throwing that error as the serf library had deprecated usage of TLSv1. We realized this and decided to upgrade our server. I did the upgrade the server which is now running Debian 10, Apache with TLSv1.3. Everything works fine now. I am accepting your answer as you correctly diagonsed. Commented May 30, 2020 at 12:39
2

Copy your openssl.conf to:

/home/username/openssl.conf

Alter this:

# MinProtocol = TLSv1.1
MinProtocol = TLSv1

Then:

export OPENSSL_CONF=/home/username/openssl.cnf
svn ls https://subversion/svn/path
Improve this answer
3
  • TLSv1 is deprecated, and this answer appears to recommend enabling it. I can't think of a justification to enable TLSv1 at this time. Commented Mar 28, 2020 at 23:54
  • 1
    I can certainly think of a justification: If this is the only computer you have access to, and you need to get this work done, it is an acceptable, temporary work-around (and the answer should reflect this, which it doesn't). You can pontificate about proper security all you want, but sometimes practical considerations must be regarded for what they are. Commented May 29, 2020 at 7:31
  • I understand that TLSv1 is ancient and should be avoided. However, there may be situations when you just want to get things done in one instance because that is the only feasible option left other than a time consuming long-term solution such as upgrading the server to run later version on TLS. We finally upgraded the server, but would have loved to have way to get SVN in Debian 10 work with TLSv1. I agree with Madeleine. Commented May 30, 2020 at 12:48
1

I'm trying to connect to a Visual SVN server that is on version 2.1.4 (ancient), which only supports TLS v1.0.

I found I needed the following in openssl.cnf:

openssl_conf = default_conf

[ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = ssl_default_sect

[ssl_default_sect]
Options = UnsafeLegacyRenegotiation
MinProtocol = TLSv1  
CipherString = DEFAULT:@SECLEVEL=0

I also needed to ensure the SVN URL contained the same hostname as given in the SVN server's (self-signed) certificate.

Since it was a self-signed certificate, I also needed to use the --trust-server-cert option for SVN.

Improve this answer
1

My god... I tried and tried and tried. Everything in any combination I found on every site. Nothing helped. Yesterday I finally found the solution.

How? I read the documentation.

The issue began when I upgraded my Ubuntu 20.04 to 22.04. In the background, OpenSSL changes during the update from 1.1.1 to 3.x .

My SVN server uses some slightly older versions of TLS and by default Openssl 3.x doesn't support those. But there is an official way to reactivate the support for those.. using "providers". In this case you need the "legacy" provider. https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers

The solution:

/etc/ssl/openssl.cnf

openssl_conf = openssl_init

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

If you use a client certificate to connect to your svn server, of course you have to have your ~/.subversion/servers configured too, like:

~/.subversion/servers

ssl-client-cert-file = ~/my.p12
ssl-authority-files = /etc/ssl/certs/my_ca.pem
Improve this answer
1
  • Good grief what a pain. Just worked for me too. Commented Apr 27 at 13:29
0

I have made a mixture of the two previous solutions, and it works perfectly.

  1. copy the file /usr/lib/ssl/openssl.cnf (in my case it is .cnf) to my home
  2. . modify the file as indicated by Madeleine in the first answer
  3. export OPENSSL_CONF=~/openssl.cnf

Many thanks to both of you :)

Improve this answer
0

I had a similar issue in Windows at work, using a git svn clone command, with the somewhat cryptic error:

Error running context...

I reverted to git version 2.28.0 (from version 2.41.0), and the connection to the old SVN server was successful.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.