[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: SSL v3 vulnerability

From: Stefan Sperling <stsp_at_elego.de>
Date: Tue, 21 Oct 2014 17:18:44 +0200

On Tue, Oct 21, 2014 at 02:40:32PM +0000, Nicolas CALVET (Ingenico Partner) wrote:
> Hi,
> Recently, we were informed by a publishing speaking about the vulnerability of SSLv 3.0.
> We would like to know if Subversion 1.6 is compatible with the following protocol TLS 1.0 / TLS 1.1 / TLS 1.2 ?
> Thanks in advance for you quick feedback
> Regards,
> Bien Cordialement,
> Nicolas Calvet

Subversion does not use SSL directly. It uses SSL indirectly via some
of its dependencies. Therefore there is nothing the Subversion project
can do about SSL-related issues (apart from some aspects such as client-side
certicate management, but this doesn't apply for the SSLv3 problem).
You should ask the relevant projects which Subversion depends on about
their implementation of SSL support.

For Subversion 1.6 clients, the neon or serf library can be used to
establish HTTPS connections. The default library is neon. This project's
website is http://webdav.org/neon/ -- that's probably the most appropriate
place for your question. I believe neon supports TLS 1.2 as long as a
recent enough version of OpenSSL or GNUTLS is used by neon.

For Subversion 1.8, the only client-side HTTPS option is serf. Serf has
released an update (1.3.8) which disables the use of SSLv3 entirely.
It uses OpenSSL so as long as a recent OpenSSL version is in use, the
TLS 1.2 protocol should work fine. See http://code.google.com/p/serf/

Subversion's server-side support for HTTPS is usually implemented by
the Apache HTTPD web server: http://httpd.apache.org

Another place where SSL is used is the svn:// protocol if the server
uses SASL with a configuration that uses SSL. Subversion then uses
Cyrus-SASL for both the server and the client. The project's website
is http://asg.web.cmu.edu/sasl/
Received on 2014-10-21 17:19:37 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.