subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Branko ─îibej <br...@apache.org>
Subject Re: Better error message when certificate verification on HTTPS fails?
Date Mon, 07 Mar 2016 19:17:33 GMT
On 07.03.2016 15:20, Thorsten Sch├Âning wrote:
> Hi all,
>
> one of our customers ran into problems when updating a software
> installation using TortoiseSVN in the most current version 1.9.3,
> Build 27038. The message was something around the following, I sadly
> don't have the exact wording anymore, but the error code etc. is
> correct:
>
>> svn error code E720006 error running context the handle is invalid
> Error code 6 is ERROR_INVALID_HANDLE of Windows, so the msg should be
> correct. The error occurred with Tortoise itself and its provided svn
> shell client.
>
> The requested svn repo is hosted on a server accessible via HTTPS and
> the used certificate specifies "http://gv.symcd.com" as an OCSP
> target. The customers firewall blocked access to this domain,
> resulting in ERROR_INVALID_HANDLE in svn somewhere and after the
> access was granted the problem went away and the download succeeded
> without any problems.
>
> The interesting part is that there was no local working copy, we made
> a complete fresh checkout, the server needs authentication and
> Tortoise started to download some data already, created some empty
> folders it couldn't know about without access to the repo and such.
> Therefore there must have been at least some communication already
> until the error occurred and that's why I wrongly ruled out the
> firewall early.
>
> So, do you see any chance to improve this generic error message and
> mention something around certificate verification or that resolving
> some domain failed or such? This would have made finding the error a
> lot easier.

The error probably comes from Serf when the connection to the OCSP
server is refused; apparently the OCSP verification request is performed
asynchronously (and no, I'm not entirely sure that's correct; I'd have
to read the spec).

Anyway, Serf doesn't have detailed error codes for various certificate
validation failures; until and unless it gets them, I'm not sure how
Subversion could detect this case.

-- Brane

Mime
View raw message