[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Newer SSL libraries and TLSv1.2 incompatibilities

From: Daniel Shahaf <danielsh_at_elego.de>
Date: Fri, 15 Jun 2012 18:15:50 +0300

Garrison, Jim (ETW) wrote on Thu, Jun 14, 2012 at 10:49:47 -0700:
> > -----Original Message-----
> > From: Garrison, Jim (ETW) [mailto:Jim.Garrison_at_nike.com]
> > Sent: Wednesday, June 13, 2012 3:56 PM
> > To: users_at_subversion.apache.org
> > Subject: Newer SSL libraries and TLSv1.2 incompatibilities
> >
> > Regarding my question in the thread titled "When connecting to an https
> > server force use of TLS or SSLv3?".
> >
> > I asked that before I fully understood the problem, which is actually
> > due to a backwards incompatibility in the newest OpenSSL libraries
> > (1.0.1c) used by Subversion. Essentially, the newest client library can
> > cause older servers to hang when it sends a TLSv1.2 handshake.
> >
> > The release notes for OpenSSL 1.0.1c contain (changes between 1.0.1 and
> > 1.0.1a):
> >
> > *) Workarounds for some broken servers that "hang" if a client hello
> > record length exceeds 255 bytes.
> >
> > 1. Do not use record version number > TLS 1.0 in initial client
> > hello: some (but not all) hanging servers will now work.
> > 2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
> > the number of ciphers sent in the client hello. This should be
> > set to an even number, such as 50, for example by passing:
> > -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
> > Most broken servers should now work.
> > 3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
> > TLS 1.2 client support entirely.
> >
> > Is there any way, other than completely rebuilding svn locally, to use
> > these workarounds?
>
> Please see http://rt.openssl.org/Ticket/Display.html?id=2771&user=guest&pass=guest
>
> This is going to cause major headaches for a lot of people. OpenSSL client versions 1.0.1 and later can and will cause earlier server versions to hang at CLIENT HELLO. There are options in the OpenSSL code to tailor the client behavior to avoid this, but they require the client applications (i.e. subversion) to support setting these options. For example
>
> ctx = SSL_CTX_new(...);
> SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
>
> What's the possibility of getting an enhancement to subversion to support this in its server configuration?

Haven't read everything, but Subversion does not call SSL_CTX_new() at
all; its dependencies, libneon and/or libserf, do.
Received on 2012-06-15 17:16:31 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.