You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Mohsin <mo...@gmail.com> on 2014/10/26 00:26:10 UTC

SSL V3 Vulnerability in HTTP Repository Access.

HI All,

We are using HTTP protocol for repository access
(http://abc.svn.com/svn/Repo/) over the internet for this case we are using
tortoise svn client V 1.8.7 which is dependent on serf and serf is using SSL
V3 . I just read serf version 1.3.5 is using SSL V3 and in serf 1.3.5 SSL V3
is enabled . Serf had released latest version 1.3.8 in which SSL V3 is
disabled . So should I upgrade serf version on my server because I have
compiled my svn with serf V 1.3.5 or there is no issue ? 


regards 
Mohsin



--
View this message in context: http://subversion.1072662.n5.nabble.com/SSL-V3-Vulnerability-in-HTTP-Repository-Access-tp190716.html
Sent from the Subversion Users mailing list archive at Nabble.com.

Re: SSL V3 Vulnerability in HTTP Repository Access.

Posted by Andreas Stieger <an...@gmx.de>.

> On 26 Oct 2014, at 01:33, Mohsin <mo...@gmail.com> wrote:
> 
> Can you tell when SSH/TLS is used ? In my case we are using HTTP protocol.

Whenever a capable administrator configures the system to support it and users use the correct scheme, or are forced to do so as is the case with many production deployments.

> How can I disable SSL 3.0 in Apache conf ?

Please read the relevant documentation. As you seem to be using a web viewer for this you should have no problem finding this all over the web. Also I would not spoil your fun discovering that or lower the level of discussion on this list.

Andreas

Re: SSL V3 Vulnerability in HTTP Repository Access.

Posted by Mohsin <mo...@gmail.com>.

Thanks David & Andreas .


regards
Mohsin 
Software Enginner-Configuration Management



--
View this message in context: http://subversion.1072662.n5.nabble.com/SSL-V3-Vulnerability-in-HTTP-Repository-Access-tp190716p190726.html
Sent from the Subversion Users mailing list archive at Nabble.com.

Re: SSL V3 Vulnerability in HTTP Repository Access.

Posted by Mohsin <mo...@gmail.com>.

Thanks David & Andreas .


regards
Mohsin 
Software Engineer-Configuration Management (CM)



--
View this message in context: http://subversion.1072662.n5.nabble.com/SSL-V3-Vulnerability-in-HTTP-Repository-Access-tp190716p190727.html
Sent from the Subversion Users mailing list archive at Nabble.com.

Re: SSL V3 Vulnerability in HTTP Repository Access.

Posted by David Lowe <do...@earthlink.net>.

On 2014 Oct 25, at 6:33 PM, Mohsin <mo...@gmail.com> wrote:

>> If you use HTTP "http://" you are not using SSL/TLS. You are not 
>> affected by POODLE, but also not using encryption. 
> 
> We are using HTTP so we are not affected by POODLE.
> 
> 
>> If using SSH/TLS, the server does not use serf. Turn off SSL 3.0 in the 
>> Apache httpd configuration. No upgrade required, simple configuration 
>> change. 
> 
> Can you tell when SSH/TLS is used ? In my case we are using HTTP protocol.
> How can I disable SSL 3.0 in Apache conf ?

	As has been hinted at already, HTTP does not use *any* encryption.  In order to encrypt hypertext file transfers, one would need to set the web server and clients to HTTPS protocol.  Most likely your server is Apache, but in any case such configuration details are off-topic for this list.  Please read up on, for example, 'man https' or do a web on 'apache configuration'.

sent from Mountain Lion

Re: SSL V3 Vulnerability in HTTP Repository Access.

Posted by Mohsin <mo...@gmail.com>.

Thanks.

>If you use HTTP "http://" you are not using SSL/TLS. You are not 
>affected by POODLE, but also not using encryption. 

We are using HTTP so we are not affected by POODLE.


>If using SSH/TLS, the server does not use serf. Turn off SSL 3.0 in the 
>Apache httpd configuration. No upgrade required, simple configuration 
>change. 


Can you tell when SSH/TLS is used ? In my case we are using HTTP protocol.
How can I disable SSL 3.0 in Apache conf ?


Regards
Mohsin



--
View this message in context: http://subversion.1072662.n5.nabble.com/SSL-V3-Vulnerability-in-HTTP-Repository-Access-tp190716p190719.html
Sent from the Subversion Users mailing list archive at Nabble.com.

Re: SSL V3 Vulnerability in HTTP Repository Access.

Posted by Andreas Stieger <an...@gmx.de>.

Hi,

On 25/10/14 23:26, Mohsin wrote:
> We are using HTTP protocol for repository access
> (http://abc.svn.com/svn/Repo/) over the internet for this case we are using
> tortoise svn client V 1.8.7 which is dependent on serf and serf is using SSL
> V3 . I just read serf version 1.3.5 is using SSL V3 and in serf 1.3.5 SSL V3
> is enabled . Serf had released latest version 1.3.8 in which SSL V3 is
> disabled . So should I upgrade serf version on my server because I have
> compiled my svn with serf V 1.3.5 or there is no issue ? 

If you use HTTP "http://" you are not using SSL/TLS. You are not
affected by POODLE, but also not using encryption.

If using SSH/TLS, the server does not use serf. Turn off SSL 3.0 in the
Apache httpd configuration. No upgrade required, simple configuration
change.

Andreas