ArchiveOrangemail archive

users.subversion.apache.org


(List home) (Recent threads) (3 other Subversion lists)

Subscription Options

  • RSS or Atom: Read-only subscription using a browser or aggregator. This is the recommended way if you don't need to send messages to the list. You can learn more about feed syndication and clients here.
  • Conventional: All messages are delivered to your mail address, and you can reply. To subscribe, send an email to the list's subscribe address with "subscribe" in the subject line.
  • Moderate traffic list: up to 30 messages per day
  • This list contains about 16,596 messages, beginning Feb 2010
  • 21 messages added yesterday
Report the Spam
This button sends a spam report to the moderator. Please use it sparingly. For other removal requests, read this.
Are you sure? yes no

When connecting to an https server force use of TLS or SSLv3?

Ad
Garrison, Jim (ETW) 1339103997Thu, 07 Jun 2012 21:19:57 +0000 (UTC) 
When svn attempts to connect to an https URL, the underlying protocol
library (openssl?) attempts to start the secure protocol negotiation at
the most basic level, plain SSL.

Unfortunately, I have to connect to a server that requires SSL3 or
TLS1, and refuses to respond to SSL or SSL2.

I've done some troubleshooting using s_client and confirmed that if I
let s_client start with the default protocol the server never responds
to the CLIENT HELLO:

    $ openssl s_client -connect server.domain.com:443
    CONNECTED(00000003)
    write:errno=104
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 320 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    ---


Watching this in Wireshark I see:


    Client                Server
        -------syn---------->
        <------ack-----------
        ---CLIENT HELLO----->
        <------ack-----------
          [60 second pause]
        <------rst-----------

If I tell s_client to use ssl2 the server immediately closes the
connection. Only ssl3 and tls1 work.

Is there any way to tell subversion to tell the underlying ssl
libraries to skip SSL and SSL2, and start the negotiation with TLS or
SSL3?  I've looked for an OpenSSL config file, but that seems to
control only certificate generation.
Daniel Shahaf 1339142775Fri, 08 Jun 2012 08:06:15 +0000 (UTC) 
Garrison, Jim (ETW) wrote on Thu, Jun 07, 2012 at 14:19:20 -0700:
> If I tell s_client to use ssl2 the server immediately closes the
> connection. Only ssl3 and tls1 work.
> 
> Is there any way to tell subversion to tell the underlying ssl
> libraries to skip SSL and SSL2, and start the negotiation with TLS or
> SSL3?  I've looked for an OpenSSL config file, but that seems to
> control only certificate generation.I would expect such settings to be controllable from
~/.subversion/servers, but none of the settings 1.7.x has there seem
relevant.

I'm not sure what other ways there might be to change the default.
Home | About | Privacy