Great answer --- you should add it to the FAQ :)
Stefan Sperling wrote on Tue, Oct 21, 2014 at 17:18:44 +0200:
> On Tue, Oct 21, 2014 at 02:40:32PM +0000, Nicolas CALVET (Ingenico Partner) wrote:
> > Hi,
> >
> > Recently, we were informed by a publishing speaking about the vulnerability of SSLv 3.0.
> > We would like to know if Subversion 1.6 is compatible with the following protocol TLS 1.0 / TLS 1.1 / TLS 1.2 ?
> >
> > Thanks in advance for you quick feedback
> >
> > Regards,
> >
> >
> > Bien Cordialement,
> > Nicolas Calvet
> >
>
> Subversion does not use SSL directly. It uses SSL indirectly via some
> of its dependencies. Therefore there is nothing the Subversion project
> can do about SSL-related issues (apart from some aspects such as client-side
> certicate management, but this doesn't apply for the SSLv3 problem).
> You should ask the relevant projects which Subversion depends on about
> their implementation of SSL support.
>
> For Subversion 1.6 clients, the neon or serf library can be used to
> establish HTTPS connections. The default library is neon. This project's
> website is http://webdav.org/neon/ -- that's probably the most appropriate
> place for your question. I believe neon supports TLS 1.2 as long as a
> recent enough version of OpenSSL or GNUTLS is used by neon.
>
> For Subversion 1.8, the only client-side HTTPS option is serf. Serf has
> released an update (1.3.8) which disables the use of SSLv3 entirely.
> It uses OpenSSL so as long as a recent OpenSSL version is in use, the
> TLS 1.2 protocol should work fine. See http://code.google.com/p/serf/
>
> Subversion's server-side support for HTTPS is usually implemented by
> the Apache HTTPD web server: http://httpd.apache.org
>
> Another place where SSL is used is the svn:// protocol if the server
> uses SASL with a configuration that uses SSL. Subversion then uses
> Cyrus-SASL for both the server and the client. The project's website
> is http://asg.web.cmu.edu/sasl/
Received on 2014-10-22 13:21:18 CEST