SVN,OSX10.7:SSL握手失败:SSL错误代码-1/1/336032856
[英]SVN, OSX10.7: SSL handshake failed: SSL error code -1/1/336032856
问题描述
I'm having trouble accessing an svn repository due to an SSL handshake error. 
由于SSL握手错误,我无法访问svn存储库。 Here's the output I get 这是我得到的输出
$ svn ls https://example.edu:40657/folder
svn: OPTIONS of 'https://example.edu:40657/folder': SSL handshake failed: SSL error code -1/1/336032856 (https://example.edu:40657)
This started happening after the repository was moved to another server. 这在存储库移动到另一台服务器后开始发生。 A new security certificate was issued as well. 还发布了新的安全证书。
I've seen the issue raised here ( Handshake failure with "SSL error code -1/1/336032856" on OS X 10.7 ) and read the faq, but my ssl version is 1.0.1c. 我已经看到了这里提出的问题( 在OS X 10.7上使用“SSL错误代码-1/1/336032856”握手失败 )并读取了faq,但我的ssl版本是1.0.1c。 I think this is a client side issue, since no other (linux) machines exhibit the problem. 我认为这是一个客户端问题,因为没有其他(linux)机器出现问题。 I've deleted my ~/.subversion folder and deleted in my keychain anything marked svn or ssl, but still no luck. 我删除了我的〜/ .subversion文件夹并在我的钥匙串中删除了任何标记为svn或ssl的内容,但仍然没有运气。 My guess is there are still security keys stored somewhere that I don't know about. 我的猜测是仍然存在一些我不知道的安全密钥。 Any ideas? 有任何想法吗?
5 个解决方案
解决方案1
3 2013-09-23 11:08:43
I had this error too when trying to check out a repository on a server using a self-signed certificate. 尝试使用自签名证书检出服务器上的存储库时,我也遇到此错误。
You have to meet 2 requirements: 您必须满足2个要求:
- the CN (Common Name) in the certificate should match the hostname you're using in the repo URL 证书中的CN(公用名)应与您在repo URL中使用的主机名相匹配
- the ServerName configured in the Virtual Host handling the request should match the URL too. 处理请求的虚拟主机中配置的ServerName也应与URL匹配。
The latter could be enough. 后者就足够了。
I was using the default-ssl apache config from Debian which doesn't set any specific ServerName (so the main ServerName from the global Apache config is used). 我使用的是Debian的default-ssl apache配置,它没有设置任何特定的ServerName(因此使用了来自全局Apache配置的主ServerName)。 Accessing the repository through the real hostname of the server was working (you just get the "The certificate is not issued by a trusted authority" warning the first time you try to connect) but trying to access it through any other alias (even by its IP) failed with this error. 通过服务器的真实主机名访问存储库是有效的(您只是在第一次尝试连接时获得“证书不是由受信任的机构颁发”警告)但是尝试通过任何其他别名访问它(即使是通过其IP)因此错误而失败。
So the workaround here is to ask the server admin what's the real ServerName (it may be listed in the footer of a 404 error page) or ask him to set it accordingly. 所以这里的解决方法是询问服务器管理员什么是真正的ServerName(它可能列在404错误页面的页脚中)或要求他相应地设置它。
Example: 例:
$ svn co https://alias.or.ip.of.the.server.real.hostname/svn/test
svn: OPTIONS of 'https://alias.or.ip.of.the.server.real.hostname/svn/test': SSL negotiation failed: SSL error code -1/1/336032856 (https://alias.or.ip.of.the.server.real.hostname)
$ svn co https://real.hostname.of.the.server/svn/test
Error validating server certificate for 'https://real.hostname.of.the.server:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
Certificate information:
- Hostname: real.hostname.of.the.server
- Valid: from Mon, 23 Sep 2013 10:55:49 GMT until Thu, 21 Sep 2023 10:55:49 GMT
- Issuer: real.hostname.of.the.server
- Fingerprint: 61:81:26:51:53:26:9a:ea:c1:28:b8:6d:22:13:05:8f:81:1a:ed:67
(R)eject, accept (t)emporarily or accept (p)ermanently?
Store it permanently and you're good to go! 永久存放,你很高兴!
解决方案2
2
This can also happen due to TLS using SNI ( https://en.wikipedia.org/wiki/Server_Name_Indication ). 这也可能是由于使用SNI的TLS( https://en.wikipedia.org/wiki/Server_Name_Indication )。
Given you are using Apache with something like this config 鉴于你正在使用Apache这样的配置
ServerName my-server
ServerAlias another-name
And the client connects to your server using this URL 客户端使用此URL连接到您的服务器
svn ls https://svn-server
When the Client uses SNI it will tell the server during the handshake 当客户端使用SNI时,它将在握手期间告诉服务器
Btw. I think you are called "svn-server"
The server only knows itself by the names "my-server" and "another-name", hence it will raise a TLS warning: 服务器只通过名称“my-server”和“another-name”知道自己,因此它会引发TLS警告:
Warning: I am not called "svn-server". That name is unknown to me.
This warning leads to a handshake failure, as the client thinks something bad happened. 这个警告导致握手失败,因为客户认为发生了不好的事情。
A solution would be to add the name the client uses to the server aliases 解决方案是将客户端使用的名称添加到服务器别名
ServerAlias another-name svn-server
And do not forget to check that the SSL certificate's "Common Name" or aliases also matches the name the client uses. 并且不要忘记检查SSL证书的“公共名称”或别名是否与客户端使用的名称匹配。
解决方案3
1 已采纳 2013-02-26 16:56:21
Many thanks to Ned Deily, his comments were correct. 非常感谢Ned Deily,他的评论是正确的。 The problem disappeared after I downloaded and built subversion 1.7.8 ( http://subversion.apache.org/download/#recommended-release ). 我下载并构建了subversion 1.7.8( http://subversion.apache.org/download/#recommended-release )后,问题就消失了。 I also had to download and build neon ( http://www.webdav.org/neon/ ), to allow svn to recognize http and https address. 我还必须下载并构建neon( http://www.webdav.org/neon/ ),以允许svn识别http和https地址。 Finally, I had to move the apple-supplied svn binaries to another folder to get the new version found (new version was installed to /usr/local/bin, while the apple-supplied version was installed in /usr/bin). 最后,我不得不将苹果提供的svn二进制文件移动到另一个文件夹以获取新版本(新版本安装到/ usr / local / bin,而苹果提供的版本安装在/ usr / bin中)。
解决方案4
1 2014-05-20 08:22:42
http://subversion.apache.org/faq.html#ssl-error-336032856 http://subversion.apache.org/faq.html#ssl-error-336032856
This can happen when the hostname reported by the server does not the match hostname given in the SSL certificate. 当服务器报告的主机名不是SSL证书中给出的匹配主机名时,可能会发生这种情况。 Make sure your server configuration uses correct values for ServerName and NameVirtualHost . 确保您的服务器配置使用ServerName和NameVirtualHost的正确值。
解决方案5
1 2016-03-30 14:37:08
我收到了类似的错误,原因似乎是系统时钟已关闭(夏令时刚刚过去,系统时钟已关闭1小时)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.