On Tue, Jul 26, 2011 at 1:20 PM, Dan Yost <yod...@gmail.com> wrote: > On Tue, Jul 26, 2011 at 3:11 PM, Geoff Hoffman > <ghoff...@cardinalpath.com> wrote: > > Long shot here... this is probably off base, as I am not that experienced > > with lower-level SSL problems, but are you by chance using an issuer that > > provides an intermediary certificate? > > For example, to install an SSL cert from GoDaddy, you have to also > include > > the gd_bundle.crt. The Wikipedia article below makes me wonder if there > is > > just some network hiccups sometimes, trying to validate your certificate > > chain authority. > >> > >> From http://en.wikipedia.org/wiki/Intermediate_certificate_authorities > >> If the certificate was not issued by a trusted CA, the connecting device > >> (e.g., a web browser) will then check to see if the issuing CA of the > >> certificate was issued by a trusted CA, and so on until either a trusted > CA > >> is found (at which point a trusted, secure connection will be > established) > >> or no trusted CA can be found (at which point the device will usually > >> display an error). > > > > > > > Yes, and indeed this is a GoDaddy cert, with the bundle installed to > keep the chain intact, so thus it does work that 95% of the time. I > was thinking that the chain is all presented from the server to client > in one fell swoop, with no need to go fetch anything else "out there" > (not that you're suggesting that is what it needs to do--go outside to > fetch something). But indeed, I suppose it could complicate the > handshake in such a way as to cause this intermittent failure--would > really like to be able to "watch" that happen via some kind of verbose > log. > > Dan >
If this *might* be the problem, I'm guessing that browsers do a better job of "trying again a few times" than the svn client might. If you can simulate what your workflow is doing in Firefox with the LiveHeaders plugin, you can distill it down to a list of FQDNs that are required, then tracert them, ping them, etc., to see if you have any dropped packets. Also IPs are a straighter path than DNS names. It may not be easy for you to change everything around, but if you switched it all to IP-based you could rule out DNS being a problem.