[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

openssl 1.0.0a, RFC 5746, renegotiation issue

From: Roland Sieker <sieker_at_xenos-semi.com>
Date: Mon, 21 Jun 2010 14:37:17 +0200

Hi
I'm running a svn set-up with a https server that requires client
certificates.
Server: apache 2.2.15 with mod_ssl (2.2.15)
I've updated the server's openssl to 1.0.0a
AFAIS that library implements RFC 5746 (
http://www.ietf.org/rfc/rfc5746.txt ) to solve the CVE-2009-3555 (
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 ) unsafe
renegotiation/MITM issue.

TortoiseSVN uses openssl 0.9.8k without RFC 5746

My TortoiseSVN about info:
TortoiseSVN 1.6.8, Build 19260 - 32 Bit , 2010/04/16 20:20:11
Subversion 1.6.11,
apr 1.3.8
apr-utils 1.3.9
neon 0.29.3
OpenSSL 0.9.8k 25 Mar 2009
zlib 1.2.3

When i try to do an update (or anything else that talks to the server)
with TortoiseSVN now it fails according to the RFC:
TortoiseSVN reports
Error: OPTIONS of 'https://<server>/<path>/trunk': Could not read
Error: status line: SSL error: sslv3 alert handshake failure
(https://<server>)

and apache logs

[Mon Jun 21 14:16:51 2010] [debug] ssl_engine_kernel.c(764): [client
192.168.1.22] Performing full renegotiation: complete handshake protocol
(client does not support secure renegotiation)
[Mon Jun 21 14:16:51 2010] [debug] ssl_engine_kernel.c(1866): OpenSSL:
Handshake: start
[Mon Jun 21 14:16:51 2010] [debug] ssl_engine_kernel.c(1884): OpenSSL:
Write: SSL renegotiate ciphers
[Mon Jun 21 14:16:51 2010] [debug] ssl_engine_kernel.c(1903): OpenSSL:
Exit: error in SSL renegotiate ciphers
[Mon Jun 21 14:16:51 2010] [error] [client 192.168.1.22] Re-negotiation
request failed
[Mon Jun 21 14:16:51 2010] [error] SSL Library Error: 336068946
error:14080152:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled
[Mon Jun 21 14:16:51 2010] [debug] ssl_engine_io.c(1635): [client
192.168.1.22] read from buffered SSL brigade, mode 0, 8192 bytes
[Mon Jun 21 14:16:51 2010] [debug] ssl_engine_io.c(1710): [client
192.168.1.22] buffered SSL brigade exhausted
[Mon Jun 21 14:16:51 2010] [debug] ssl_engine_io.c(1635): [client
192.168.1.22] read from buffered SSL brigade, mode 2, 0 bytes

or in short "SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled"

So i'd be really happy if there would be a TortoiseSVN with openssl
0.9.8o (or maybe 0.9.8[m-n]) or openssl 1.0.0a (or 1.0.0)

(And no, i don't want to completely disable renegotiation. I DO want to
allow different certificates on different parts of the server. And the
client can be on the "outside", not just 192.168...)

Best regards, Roland

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2624214

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].

Received on 2010-06-21 14:46:47 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.