You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by "Nicolas CALVET (Ingenico Partner)" <Ni...@ingenico.com> on 2014/10/21 16:40:32 UTC
SSL v3 vulnerability
Hi,
Recently, we were informed by a publishing speaking about the vulnerability of SSLv 3.0.
We would like to know if Subversion 1.6 is compatible with the following protocol TLS 1.0 / TLS 1.1 / TLS 1.2 ?
Thanks in advance for you quick feedback
Regards,
Bien Cordialement,
Nicolas Calvet
Re: SSL v3 vulnerability
Posted by Mohsin <mo...@gmail.com>.
Nice interpretation .. thanks
we are using http protocol for repository access over the internet for this
case should we upgrade serf version or not ? we are using serf v1.3.5 .
regards
Mohsin
--
View this message in context: http://subversion.1072662.n5.nabble.com/SSL-v3-vulnerability-tp190659p190674.html
Sent from the Subversion Users mailing list archive at Nabble.com.
Re: SSL v3 vulnerability
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Great answer --- you should add it to the FAQ :)
Stefan Sperling wrote on Tue, Oct 21, 2014 at 17:18:44 +0200:
> On Tue, Oct 21, 2014 at 02:40:32PM +0000, Nicolas CALVET (Ingenico Partner) wrote:
> > Hi,
> >
> > Recently, we were informed by a publishing speaking about the vulnerability of SSLv 3.0.
> > We would like to know if Subversion 1.6 is compatible with the following protocol TLS 1.0 / TLS 1.1 / TLS 1.2 ?
> >
> > Thanks in advance for you quick feedback
> >
> > Regards,
> >
> >
> > Bien Cordialement,
> > Nicolas Calvet
> >
>
> Subversion does not use SSL directly. It uses SSL indirectly via some
> of its dependencies. Therefore there is nothing the Subversion project
> can do about SSL-related issues (apart from some aspects such as client-side
> certicate management, but this doesn't apply for the SSLv3 problem).
> You should ask the relevant projects which Subversion depends on about
> their implementation of SSL support.
>
> For Subversion 1.6 clients, the neon or serf library can be used to
> establish HTTPS connections. The default library is neon. This project's
> website is http://webdav.org/neon/ -- that's probably the most appropriate
> place for your question. I believe neon supports TLS 1.2 as long as a
> recent enough version of OpenSSL or GNUTLS is used by neon.
>
> For Subversion 1.8, the only client-side HTTPS option is serf. Serf has
> released an update (1.3.8) which disables the use of SSLv3 entirely.
> It uses OpenSSL so as long as a recent OpenSSL version is in use, the
> TLS 1.2 protocol should work fine. See http://code.google.com/p/serf/
>
> Subversion's server-side support for HTTPS is usually implemented by
> the Apache HTTPD web server: http://httpd.apache.org
>
> Another place where SSL is used is the svn:// protocol if the server
> uses SASL with a configuration that uses SSL. Subversion then uses
> Cyrus-SASL for both the server and the client. The project's website
> is http://asg.web.cmu.edu/sasl/
Re: SSL v3 vulnerability
Posted by Stefan Sperling <st...@elego.de>.
On Tue, Oct 21, 2014 at 02:40:32PM +0000, Nicolas CALVET (Ingenico Partner) wrote:
> Hi,
>
> Recently, we were informed by a publishing speaking about the vulnerability of SSLv 3.0.
> We would like to know if Subversion 1.6 is compatible with the following protocol TLS 1.0 / TLS 1.1 / TLS 1.2 ?
>
> Thanks in advance for you quick feedback
>
> Regards,
>
>
> Bien Cordialement,
> Nicolas Calvet
>
Subversion does not use SSL directly. It uses SSL indirectly via some
of its dependencies. Therefore there is nothing the Subversion project
can do about SSL-related issues (apart from some aspects such as client-side
certicate management, but this doesn't apply for the SSLv3 problem).
You should ask the relevant projects which Subversion depends on about
their implementation of SSL support.
For Subversion 1.6 clients, the neon or serf library can be used to
establish HTTPS connections. The default library is neon. This project's
website is http://webdav.org/neon/ -- that's probably the most appropriate
place for your question. I believe neon supports TLS 1.2 as long as a
recent enough version of OpenSSL or GNUTLS is used by neon.
For Subversion 1.8, the only client-side HTTPS option is serf. Serf has
released an update (1.3.8) which disables the use of SSLv3 entirely.
It uses OpenSSL so as long as a recent OpenSSL version is in use, the
TLS 1.2 protocol should work fine. See http://code.google.com/p/serf/
Subversion's server-side support for HTTPS is usually implemented by
the Apache HTTPD web server: http://httpd.apache.org
Another place where SSL is used is the svn:// protocol if the server
uses SASL with a configuration that uses SSL. Subversion then uses
Cyrus-SASL for both the server and the client. The project's website
is http://asg.web.cmu.edu/sasl/