[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: SSL V3 Vulnerability in HTTP Repository Access.

From: Andreas Stieger <andreas.stieger_at_gmx.de>
Date: Sat, 25 Oct 2014 23:34:06 +0100


On 25/10/14 23:26, Mohsin wrote:
> We are using HTTP protocol for repository access
> (http://abc.svn.com/svn/Repo/) over the internet for this case we are using
> tortoise svn client V 1.8.7 which is dependent on serf and serf is using SSL
> V3 . I just read serf version 1.3.5 is using SSL V3 and in serf 1.3.5 SSL V3
> is enabled . Serf had released latest version 1.3.8 in which SSL V3 is
> disabled . So should I upgrade serf version on my server because I have
> compiled my svn with serf V 1.3.5 or there is no issue ?

If you use HTTP "http://" you are not using SSL/TLS. You are not
affected by POODLE, but also not using encryption.

If using SSH/TLS, the server does not use serf. Turn off SSL 3.0 in the
Apache httpd configuration. No upgrade required, simple configuration

Received on 2014-10-26 00:34:42 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.