[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] cleanup the neon socket when closing the ra_session

From: Joe Orton <joe_at_manyfish.co.uk>
Date: 2007-07-09 23:53:48 CEST

On Mon, Jul 09, 2007 at 10:35:16PM +0200, Stefan K√ľng wrote:
> Mark Phippard wrote:
> >If GnuTLS supports threading better, then why not consider it? I
> >doubt you have any need to support SSL v2.0 and GnuTLS seems to
> >support the newer protocols much better:
> >
> >http://www.gnu.org/software/gnutls/comparison.html
>
> Well, sure I could try and use GnuTLS instead of OpenSSL. But the
> Windows binaries of Subversion are built with OpenSSL, and that means
> the apache module is too. Which means users *can* use SSLv2.0. It would
> be a regression if TSVN would suddenly not connect to a https based
> repository anymore which it would previously.

Turning off SSLv2 by default is generally considered a security feature;
I'll do it at some point for neon with OpenSSL too (there's already a
session flag to toggle it). Virtually no sites run v2-only SSL servers
across the whole web; almost certainly anybody doing so with Subversion
will have misconfigured mod_ssl by mistake.

joe

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jul 9 23:53:27 2007

This is an archived mail posted to the Subversion Dev mailing list.