On 21.06.2010 14:37, Roland Sieker wrote:
> Hi
> I'm running a svn set-up with a https server that requires client
> certificates.
> Server: apache 2.2.15 with mod_ssl (2.2.15)
> I've updated the server's openssl to 1.0.0a
> AFAIS that library implements RFC 5746 (
> http://www.ietf.org/rfc/rfc5746.txt ) to solve the CVE-2009-3555 (
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 ) unsafe
> renegotiation/MITM issue.
>
> TortoiseSVN uses openssl 0.9.8k without RFC 5746
>
> My TortoiseSVN about info:
> TortoiseSVN 1.6.8, Build 19260 - 32 Bit , 2010/04/16 20:20:11
> Subversion 1.6.11,
> apr 1.3.8
> apr-utils 1.3.9
> neon 0.29.3
> OpenSSL 0.9.8k 25 Mar 2009
> zlib 1.2.3
>
> When i try to do an update (or anything else that talks to the server)
> with TortoiseSVN now it fails according to the RFC:
> TortoiseSVN reports
> Error: OPTIONS of 'https://<server>/<path>/trunk': Could not read
> Error: status line: SSL error: sslv3 alert handshake failure
> (https://<server>)
[snip]
>
> or in short "SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled"
>
> So i'd be really happy if there would be a TortoiseSVN with openssl
> 0.9.8o (or maybe 0.9.8[m-n]) or openssl 1.0.0a (or 1.0.0)
>
> (And no, i don't want to completely disable renegotiation. I DO want to
> allow different certificates on different parts of the server. And the
> client can be on the "outside", not just 192.168...)
Use the just released 1.6.9 version.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2624250
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2010-06-21 17:07:50 CEST