2

To deal with the recently-discovered POODLE vulnerability in SSLv3, we disabled the old protocol on our servers -- including the Subversion repository server.

This broke the svn-clients on our RHEL5 machines -- they now report the following error:

svn: OPTIONS of 'https://svn.example.net/foo/trunk/': SSL negotiation failed: Secure connection truncated (https://svn.example.net).

The svn version is 1.6.11. The same version on RHEL6 is fine, so one could think, the difference lies in the openssl-libraries.

But Apache running on the same RHEL5-box as the svn-client uses the same libraries and is serving its own SSL-traffic without a hitch (over TLSv1).

How do I make svn-client work without the svn-server supporting SSLv3?

Update: Looking closer at ldd's output, I see that svn links with GNUTLS on RHEL6, but OpenSSL on RHEL5, which may account for the difference. I still don't understand, why Apache using OpenSSL on the same RHEL5 system has no problem offering TLSv1, however.

Mikhail T.
  • 784

2 Answers2

0

Please try this workaround https://access.redhat.com/solutions/1234843.

svn-client <-- supports SSLv3 --> local stunnel <-- no SSLv3 / automatic fall back to TLS --> SVN server

Some components do not provide configuration parameters that allow SSLv3 to be disabled. Currently, the following components are known to fall into this category:

OpenLDAP

cups

It is possible to disable SSLv3 for these components by using stunnel. Stunnel provides an encryption wrapper between a remote client and a local (inetd-startable) or remote server, using the OpenSSL library for cryptography. n To disable SSLv3 on stunnel, use the following configuration parameters in the stunnel.conf file:

options = NO_SSLv2
options = NO_SSLv3
f01
  • 354
0

One solution was to recompile Subversion to use the new version of serf (1.3.8) -- the newest serf does not use SSLv3 either and so can talk to the TLS-only server. However, updating svn-client on dozens of systems is problematic in its own right.

We solved this problem by modifying Apache on the server as described in my answer to my own question on ServerFault. Best of luck.

Mikhail T.
  • 784