On Mon, Jul 09, 2007 at 10:35:16PM +0200, Stefan Küng wrote:
> Mark Phippard wrote:
> >If GnuTLS supports threading better, then why not consider it? I
> >doubt you have any need to support SSL v2.0 and GnuTLS seems to
> >support the newer protocols much better:
> >
> >http://www.gnu.org/software/gnutls/comparison.html
>
> Well, sure I could try and use GnuTLS instead of OpenSSL. But the
> Windows binaries of Subversion are built with OpenSSL, and that means
> the apache module is too. Which means users *can* use SSLv2.0. It would
> be a regression if TSVN would suddenly not connect to a https based
> repository anymore which it would previously.
Turning off SSLv2 by default is generally considered a security feature;
I'll do it at some point for neon with OpenSSL too (there's already a
session flag to toggle it). Virtually no sites run v2-only SSL servers
across the whole web; almost certainly anybody doing so with Subversion
will have misconfigured mod_ssl by mistake.
joe
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Jul 9 23:53:27 2007