Re: SSL V3 Vulnerability in HTTP Repository Access.
Thanks David Andreas . regards Mohsin Software Engineer-Configuration Management (CM) -- View this message in context: http://subversion.1072662.n5.nabble.com/SSL-V3-Vulnerability-in-HTTP-Repository-Access-tp190716p190727.html Sent from the Subversion Users mailing list archive at Nabble.com.
Re: SSL V3 Vulnerability in HTTP Repository Access.
Thanks David Andreas . regards Mohsin Software Enginner-Configuration Management -- View this message in context: http://subversion.1072662.n5.nabble.com/SSL-V3-Vulnerability-in-HTTP-Repository-Access-tp190716p190726.html Sent from the Subversion Users mailing list archive at Nabble.com.
SSL V3 Vulnerability in HTTP Repository Access.
HI All, We are using HTTP protocol for repository access (http://abc.svn.com/svn/Repo/) over the internet for this case we are using tortoise svn client V 1.8.7 which is dependent on serf and serf is using SSL V3 . I just read serf version 1.3.5 is using SSL V3 and in serf 1.3.5 SSL V3 is enabled . Serf had released latest version 1.3.8 in which SSL V3 is disabled . So should I upgrade serf version on my server because I have compiled my svn with serf V 1.3.5 or there is no issue ? regards Mohsin -- View this message in context: http://subversion.1072662.n5.nabble.com/SSL-V3-Vulnerability-in-HTTP-Repository-Access-tp190716.html Sent from the Subversion Users mailing list archive at Nabble.com.
Re: SSL V3 Vulnerability in HTTP Repository Access.
Hi, On 25/10/14 23:26, Mohsin wrote: We are using HTTP protocol for repository access (http://abc.svn.com/svn/Repo/) over the internet for this case we are using tortoise svn client V 1.8.7 which is dependent on serf and serf is using SSL V3 . I just read serf version 1.3.5 is using SSL V3 and in serf 1.3.5 SSL V3 is enabled . Serf had released latest version 1.3.8 in which SSL V3 is disabled . So should I upgrade serf version on my server because I have compiled my svn with serf V 1.3.5 or there is no issue ? If you use HTTP http://; you are not using SSL/TLS. You are not affected by POODLE, but also not using encryption. If using SSH/TLS, the server does not use serf. Turn off SSL 3.0 in the Apache httpd configuration. No upgrade required, simple configuration change. Andreas
Re: SSL V3 Vulnerability in HTTP Repository Access.
Thanks. If you use HTTP http://; you are not using SSL/TLS. You are not affected by POODLE, but also not using encryption. We are using HTTP so we are not affected by POODLE. If using SSH/TLS, the server does not use serf. Turn off SSL 3.0 in the Apache httpd configuration. No upgrade required, simple configuration change. Can you tell when SSH/TLS is used ? In my case we are using HTTP protocol. How can I disable SSL 3.0 in Apache conf ? Regards Mohsin -- View this message in context: http://subversion.1072662.n5.nabble.com/SSL-V3-Vulnerability-in-HTTP-Repository-Access-tp190716p190719.html Sent from the Subversion Users mailing list archive at Nabble.com.
Re: SSL V3 Vulnerability in HTTP Repository Access.
On 26 Oct 2014, at 01:33, Mohsin mohsinchan...@gmail.com wrote: Can you tell when SSH/TLS is used ? In my case we are using HTTP protocol. Whenever a capable administrator configures the system to support it and users use the correct scheme, or are forced to do so as is the case with many production deployments. How can I disable SSL 3.0 in Apache conf ? Please read the relevant documentation. As you seem to be using a web viewer for this you should have no problem finding this all over the web. Also I would not spoil your fun discovering that or lower the level of discussion on this list. Andreas
Re: SSL V3 Vulnerability in HTTP Repository Access.
On 2014 Oct 25, at 6:33 PM, Mohsin mohsinchan...@gmail.com wrote: If you use HTTP http://; you are not using SSL/TLS. You are not affected by POODLE, but also not using encryption. We are using HTTP so we are not affected by POODLE. If using SSH/TLS, the server does not use serf. Turn off SSL 3.0 in the Apache httpd configuration. No upgrade required, simple configuration change. Can you tell when SSH/TLS is used ? In my case we are using HTTP protocol. How can I disable SSL 3.0 in Apache conf ? As has been hinted at already, HTTP does not use *any* encryption. In order to encrypt hypertext file transfers, one would need to set the web server and clients to HTTPS protocol. Most likely your server is Apache, but in any case such configuration details are off-topic for this list. Please read up on, for example, 'man https' or do a web on 'apache configuration'. sent from Mountain Lion
Re: SSL v3 vulnerability
Great answer --- you should add it to the FAQ :) Stefan Sperling wrote on Tue, Oct 21, 2014 at 17:18:44 +0200: On Tue, Oct 21, 2014 at 02:40:32PM +, Nicolas CALVET (Ingenico Partner) wrote: Hi, Recently, we were informed by a publishing speaking about the vulnerability of SSLv 3.0. We would like to know if Subversion 1.6 is compatible with the following protocol TLS 1.0 / TLS 1.1 / TLS 1.2 ? Thanks in advance for you quick feedback Regards, Bien Cordialement, Nicolas Calvet Subversion does not use SSL directly. It uses SSL indirectly via some of its dependencies. Therefore there is nothing the Subversion project can do about SSL-related issues (apart from some aspects such as client-side certicate management, but this doesn't apply for the SSLv3 problem). You should ask the relevant projects which Subversion depends on about their implementation of SSL support. For Subversion 1.6 clients, the neon or serf library can be used to establish HTTPS connections. The default library is neon. This project's website is http://webdav.org/neon/ -- that's probably the most appropriate place for your question. I believe neon supports TLS 1.2 as long as a recent enough version of OpenSSL or GNUTLS is used by neon. For Subversion 1.8, the only client-side HTTPS option is serf. Serf has released an update (1.3.8) which disables the use of SSLv3 entirely. It uses OpenSSL so as long as a recent OpenSSL version is in use, the TLS 1.2 protocol should work fine. See http://code.google.com/p/serf/ Subversion's server-side support for HTTPS is usually implemented by the Apache HTTPD web server: http://httpd.apache.org Another place where SSL is used is the svn:// protocol if the server uses SASL with a configuration that uses SSL. Subversion then uses Cyrus-SASL for both the server and the client. The project's website is http://asg.web.cmu.edu/sasl/
Re: SSL v3 vulnerability
Nice interpretation .. thanks we are using http protocol for repository access over the internet for this case should we upgrade serf version or not ? we are using serf v1.3.5 . regards Mohsin -- View this message in context: http://subversion.1072662.n5.nabble.com/SSL-v3-vulnerability-tp190659p190674.html Sent from the Subversion Users mailing list archive at Nabble.com.
SSL v3 vulnerability
Hi, Recently, we were informed by a publishing speaking about the vulnerability of SSLv 3.0. We would like to know if Subversion 1.6 is compatible with the following protocol TLS 1.0 / TLS 1.1 / TLS 1.2 ? Thanks in advance for you quick feedback Regards, Bien Cordialement, Nicolas Calvet
Re: SSL v3 vulnerability
On Tue, Oct 21, 2014 at 02:40:32PM +, Nicolas CALVET (Ingenico Partner) wrote: Hi, Recently, we were informed by a publishing speaking about the vulnerability of SSLv 3.0. We would like to know if Subversion 1.6 is compatible with the following protocol TLS 1.0 / TLS 1.1 / TLS 1.2 ? Thanks in advance for you quick feedback Regards, Bien Cordialement, Nicolas Calvet Subversion does not use SSL directly. It uses SSL indirectly via some of its dependencies. Therefore there is nothing the Subversion project can do about SSL-related issues (apart from some aspects such as client-side certicate management, but this doesn't apply for the SSLv3 problem). You should ask the relevant projects which Subversion depends on about their implementation of SSL support. For Subversion 1.6 clients, the neon or serf library can be used to establish HTTPS connections. The default library is neon. This project's website is http://webdav.org/neon/ -- that's probably the most appropriate place for your question. I believe neon supports TLS 1.2 as long as a recent enough version of OpenSSL or GNUTLS is used by neon. For Subversion 1.8, the only client-side HTTPS option is serf. Serf has released an update (1.3.8) which disables the use of SSLv3 entirely. It uses OpenSSL so as long as a recent OpenSSL version is in use, the TLS 1.2 protocol should work fine. See http://code.google.com/p/serf/ Subversion's server-side support for HTTPS is usually implemented by the Apache HTTPD web server: http://httpd.apache.org Another place where SSL is used is the svn:// protocol if the server uses SASL with a configuration that uses SSL. Subversion then uses Cyrus-SASL for both the server and the client. The project's website is http://asg.web.cmu.edu/sasl/
