Re: Newer SSL libraries and TLSv1.2 incompatibilities

From: Philip Martin <philip.martin_at_wandisco.com>
Date: Fri, 15 Jun 2012 16:32:13 +0100

Daniel Shahaf <danielsh_at_elego.de> writes:

> Garrison, Jim (ETW) wrote on Thu, Jun 14, 2012 at 10:49:47 -0700:
>>
>> This is going to cause major headaches for a lot of people. OpenSSL
>> client versions 1.0.1 and later can and will cause earlier server
>> versions to hang at CLIENT HELLO. There are options in the OpenSSL
>> code to tailor the client behavior to avoid this, but they require
>> the client applications (i.e. subversion) to support setting these
>> options. For example
>>
>> ctx = SSL_CTX_new(...);
>> SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
>>
>> What's the possibility of getting an enhancement to subversion to support this in its server configuration?
>
> Haven't read everything, but Subversion does not call SSL_CTX_new() at
> all; its dependencies, libneon and/or libserf, do.

Both serf and neon do:

SSL_CTX_set_options(ctx, SSL_OP_ALL);

neon provides ne_ssl_context_set_flag() but it can only be used to
set/clear SSL_OP_NO_SSLv2.

-- 
Philip

Received on 2012-06-15 17:32:53 CEST

This message: [ Message body ]
Next message: Daniel Shahaf: "Re: Newer SSL libraries and TLSv1.2 incompatibilities"
Previous message: Daniel Shahaf: "Re: Newer SSL libraries and TLSv1.2 incompatibilities"
In reply to: Daniel Shahaf: "Re: Newer SSL libraries and TLSv1.2 incompatibilities"
Next in thread: Daniel Shahaf: "Re: Newer SSL libraries and TLSv1.2 incompatibilities"
Reply: Daniel Shahaf: "Re: Newer SSL libraries and TLSv1.2 incompatibilities"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]