Newer SSL libraries and TLSv1.2 incompatibilities

From: Garrison, Jim (ETW) <Jim.Garrison_at_nike.com>
Date: Wed, 13 Jun 2012 15:56:19 -0700

Regarding my question in the thread titled "When connecting to an https server force use of TLS or SSLv3?".

I asked that before I fully understood the problem, which is actually due to a backwards incompatibility in the newest OpenSSL libraries (1.0.1c) used by Subversion. Essentially, the newest client library can cause older servers to hang when it sends a TLSv1.2 handshake.

The release notes for OpenSSL 1.0.1c contain (changes between 1.0.1 and 1.0.1a):

*) Workarounds for some broken servers that "hang" if a client hello
record length exceeds 255 bytes.

     1. Do not use record version number > TLS 1.0 in initial client
        hello: some (but not all) hanging servers will now work.
     2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
        the number of ciphers sent in the client hello. This should be
        set to an even number, such as 50, for example by passing:
        -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
        Most broken servers should now work.
     3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
        TLS 1.2 client support entirely.

Is there any way, other than completely rebuilding svn locally, to use these workarounds?
Received on 2012-06-14 00:56:53 CEST

This message: [ Message body ]
Next message: Kaushal Shriyan: "Nagios SVN Alerts"
Previous message: Thorsten Schöning: "Re: How to create a tag from multiple revisions?"
Next in thread: Garrison, Jim (ETW): "RE: Newer SSL libraries and TLSv1.2 incompatibilities"
Reply: Garrison, Jim (ETW): "RE: Newer SSL libraries and TLSv1.2 incompatibilities"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]