Great answer --- you should add it to the FAQ :)
Stefan Sperling wrote on Tue, Oct 21, 2014 at 17:18:44 +0200: > On Tue, Oct 21, 2014 at 02:40:32PM +0000, Nicolas CALVET (Ingenico Partner) > wrote: > > Hi, > > > > Recently, we were informed by a publishing speaking about the vulnerability > > of SSLv 3.0. > > We would like to know if Subversion 1.6 is compatible with the following > > protocol TLS 1.0 / TLS 1.1 / TLS 1.2 ? > > > > Thanks in advance for you quick feedback > > > > Regards, > > > > > > Bien Cordialement, > > Nicolas Calvet > > > > Subversion does not use SSL directly. It uses SSL indirectly via some > of its dependencies. Therefore there is nothing the Subversion project > can do about SSL-related issues (apart from some aspects such as client-side > certicate management, but this doesn't apply for the SSLv3 problem). > You should ask the relevant projects which Subversion depends on about > their implementation of SSL support. > > For Subversion 1.6 clients, the neon or serf library can be used to > establish HTTPS connections. The default library is neon. This project's > website is http://webdav.org/neon/ -- that's probably the most appropriate > place for your question. I believe neon supports TLS 1.2 as long as a > recent enough version of OpenSSL or GNUTLS is used by neon. > > For Subversion 1.8, the only client-side HTTPS option is serf. Serf has > released an update (1.3.8) which disables the use of SSLv3 entirely. > It uses OpenSSL so as long as a recent OpenSSL version is in use, the > TLS 1.2 protocol should work fine. See http://code.google.com/p/serf/ > > Subversion's server-side support for HTTPS is usually implemented by > the Apache HTTPD web server: http://httpd.apache.org > > Another place where SSL is used is the svn:// protocol if the server > uses SASL with a configuration that uses SSL. Subversion then uses > Cyrus-SASL for both the server and the client. The project's website > is http://asg.web.cmu.edu/sasl/