subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Garrison, Jim (ETW)" <Jim.Garri...@nike.com>
Subject Newer SSL libraries and TLSv1.2 incompatibilities
Date Wed, 13 Jun 2012 22:56:19 GMT
Regarding my question in the thread titled "When connecting to an https server force use of
TLS or SSLv3?".

I asked that before I fully understood the problem, which is actually due to a backwards incompatibility
in the newest OpenSSL libraries (1.0.1c) used by Subversion.  Essentially, the newest client
library can cause older servers to hang when it sends a TLSv1.2 handshake.

The release notes for OpenSSL 1.0.1c contain (changes between 1.0.1 and 1.0.1a):

  *) Workarounds for some broken servers that "hang" if a client hello
     record length exceeds 255 bytes.

     1. Do not use record version number > TLS 1.0 in initial client
        hello: some (but not all) hanging servers will now work.
     2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
        the number of ciphers sent in the client hello. This should be
        set to an even number, such as 50, for example by passing:
        -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
        Most broken servers should now work.
     3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
        TLS 1.2 client support entirely.

Is there any way, other than completely rebuilding svn locally, to use these workarounds?

Mime
View raw message