subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Philip Martin <philip.mar...@wandisco.com>
Subject Re: Newer SSL libraries and TLSv1.2 incompatibilities
Date Fri, 15 Jun 2012 15:32:13 GMT
Daniel Shahaf <danielsh@elego.de> writes:

> Garrison, Jim (ETW) wrote on Thu, Jun 14, 2012 at 10:49:47 -0700:
>> 
>> This is going to cause major headaches for a lot of people.  OpenSSL
>> client versions 1.0.1 and later can and will cause earlier server
>> versions to hang at CLIENT HELLO.  There are options in the OpenSSL
>> code to tailor the client behavior to avoid this, but they require
>> the client applications (i.e. subversion) to support setting these
>> options. For example
>> 
>>     ctx = SSL_CTX_new(...);
>>     SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
>> 
>> What's the possibility of getting an enhancement to subversion to support this in
its server configuration?
>
> Haven't read everything, but Subversion does not call SSL_CTX_new() at
> all; its dependencies, libneon and/or libserf, do.

Both serf and neon do:

   SSL_CTX_set_options(ctx, SSL_OP_ALL);

neon provides ne_ssl_context_set_flag() but it can only be used to
set/clear SSL_OP_NO_SSLv2.

-- 
Philip

Mime
View raw message