You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by "Eric M. Hopper" <ho...@omnifarious.org> on 2003/05/27 11:02:20 UTC
Small, picky patch
The message about the security of the ssl overrides is overly alarmist.
The only ssl- options that cause security problems in the servers config
file are the ssl-ignore ones.
I, personally, think that global CAs are next to useless, so specifying
your own allowed certificate list, or your own allowed CA is fine, and
doesn't decrease security at all. And specifying a client certificate
_certainly_ doesn't decrease security.
Attached is a patch that fixes the wording.
Have fun (if at all possible),
--
The best we can hope for concerning the people at large is that they
be properly armed. -- Alexander Hamilton
-- Eric Hopper (hopper@omnifarious.org http://www.omnifarious.org/~hopper) --
Re: Small, picky patch
Posted by Sander Roobol <ph...@wanadoo.nl>.
On Tue, May 27, 2003 at 06:02:20AM -0500, Eric M. Hopper wrote:
> The message about the security of the ssl overrides is overly alarmist.
> The only ssl- options that cause security problems in the servers config
> file are the ssl-ignore ones.
>
> I, personally, think that global CAs are next to useless, so specifying
> your own allowed certificate list, or your own allowed CA is fine, and
> doesn't decrease security at all. And specifying a client certificate
> _certainly_ doesn't decrease security.
>
> Attached is a patch that fixes the wording.
Filed as issue #1344.
Sander
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Small, picky patch
Posted by Erik Abele <er...@codefaktor.de>.
Eric M. Hopper <ho...@omnifarious.org> wrote:
> The message about the security of the ssl overrides is overly alarmist.
> The only ssl- options that cause security problems in the servers config
> file are the ssl-ignore ones.
<snip />
> Attached is a patch that fixes the wording.
There is a typo in your patch:
+ "### Note that the ssl-gnore overrides significantly decrease the\n"
------------------------^ missing 'i'
+ "### security of the connection, and may allow a third party to\n"
+ "### intercept or even modify the transmitted data\n"
The attached patch corrects this.
Cheers,
Erik
BTW, wouldn't it be better to say 'ssl-ignore-* overrides'? just an idea...
--
LOG:
* subversion/libsvn_subr/config_file.c: clarified a note on security when
using the ssl-ignore-* overrides