[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: openssl 1.0.0a, RFC 5746, renegotiation issue

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: Mon, 21 Jun 2010 17:07:22 +0200

On 21.06.2010 14:37, Roland Sieker wrote:
> Hi
> I'm running a svn set-up with a https server that requires client
> certificates.
> Server: apache 2.2.15 with mod_ssl (2.2.15)
> I've updated the server's openssl to 1.0.0a
> AFAIS that library implements RFC 5746 (
> http://www.ietf.org/rfc/rfc5746.txt ) to solve the CVE-2009-3555 (
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 ) unsafe
> renegotiation/MITM issue.
>
> TortoiseSVN uses openssl 0.9.8k without RFC 5746
>
> My TortoiseSVN about info:
> TortoiseSVN 1.6.8, Build 19260 - 32 Bit , 2010/04/16 20:20:11
> Subversion 1.6.11,
> apr 1.3.8
> apr-utils 1.3.9
> neon 0.29.3
> OpenSSL 0.9.8k 25 Mar 2009
> zlib 1.2.3
>
> When i try to do an update (or anything else that talks to the server)
> with TortoiseSVN now it fails according to the RFC:
> TortoiseSVN reports
> Error: OPTIONS of 'https://<server>/<path>/trunk': Could not read
> Error: status line: SSL error: sslv3 alert handshake failure
> (https://<server>)
[snip]
>
> or in short "SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled"
>
> So i'd be really happy if there would be a TortoiseSVN with openssl
> 0.9.8o (or maybe 0.9.8[m-n]) or openssl 1.0.0a (or 1.0.0)
>
> (And no, i don't want to completely disable renegotiation. I DO want to
> allow different certificates on different parts of the server. And the
> client can be on the "outside", not just 192.168...)

Use the just released 1.6.9 version.

Stefan

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2624250
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2010-06-21 17:07:50 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.