...
The problem stems from the fact that Ubuntu packages are by default compiled against gnutls instead of openssl. There appears to be a protocol issue with the gnutls package that causes extremely slow server response when connecting to our openssl compiled server.
There are two possible solutions to A new version of libneon appears to fix this issue for users.
...
Recompile the subversion client
This script may serve as a starting point if you decide to recompile the subversion clients. It works on Ubuntu 9.04.
| Code Block |
|---|
#!/bin/sh
echo "This script will reconfigure subversion to work with certs correctly."
echo "Steps outlined by dcrooke and compiled into this script by Kalosaurusrex"
echo "Please see the ubuntuforums.org thread for more information, questions or help."
echo "http://ubuntuforums.org/showthread.php?p=6057983"
echo ""
echo ""
echo "Please run this script as USER ONLY."
echo ""
echo "Press control-c to quit..else the script will start in 5 seconds."
sleep 5
sudo apt-get update
sudo apt-get install build-essential openssl ssh expat libexpat1-dev libxyssl-dev libssl-dev
sudo apt-get remove subversion
sudo dpkg --purge subversion
wget http://subversion.tigris.org/downloads/subversion-1.6.12.tar.gz
wget http://subversion.tigris.org/downloads/subversion-deps-1.6.12.tar.gz
tar xvfz subversion-1.6.12.tar.gz
tar xvfz subversion-deps-1.6.12.tar.gz
cd subversion-1.6.12/neon/
./configure --prefix=/usr/local --with-ssl --with-pic
make
sudo make install
cd ..
rm -rf neon
./configure --prefix=/usr/local --with-ssl --with-neon=/usr/local
make
sudo make install
cd ..
rm -rf subversion-1.6.12
rm subversion-1.6.12.tar.gz
rm subversion-deps-1.6.12.tar.gz
exit 0
|
...
This procedure does not appear to work under Ubuntu 10.04.
...
Install the Ubuntu openssl compiled Neon package
Since subversion encapsulates the SSL/encryption routines fully within the Neon package, by replacing this package it is possible trick subversion into using openssl without the need to recompile the subversion client. However, depending on how you implement this solution, you may effect all other Neon compiled packages on the system.
Ubuntu has two versions of Neon available.
- libneon27 (which uses openssl)
- libneon27-gnutls (which uses gnutls)
First you need to install the openssl version of Neon, assuming that it doesn't already exist on your system.
| Code Block |
|---|
sudo apt-get install libneon27
|
Then you need to set a special environment variable called LD_PRELOAD to point to the openssl compiled version of Neon.
| Code Block |
|---|
export LD_PRELOAD=/usr/lib/libneon.so.27
|
. This new version of libneon will be included with Ubuntu 10.10 and available from packages.ubuntu.com for the Maverick release.
If you would like to use it with a version of Ubuntu less than version 10.10 you can pick up this new package from one of these locations depending on architecture:
- http://launchpadlibrarian.net/48916546/libneon27-gnutls_0.29.3-2_amd64.deb
- http://launchpadlibrarian.net/48866329/libneon27-gnutls_0.29.3-2_i386.deb
After downloading the appropriate one of these files, you can do:
| Code Block |
|---|
sudo dpkg -i libneon27-gnutls_0.29.3-2_<ARCH>.deb
|
This will properly install the package and the package manager will know
about it, so there will be no messy junk sitting in /usr/local that
won't be properly managed and upgraded.
This also means that the LD_PRELOAD hack is no longer needed.
...
Credits
I would like to thank Professor Rixner and his graduate students who were instrumental in the testing of this problem and for coming up with these solutionsthis solution.