Bug#336373: workaround
Sorry for all the spam.. This is definitely the openssl bug. It appears that the fix in subversion 1.2.3dfsg1-3 only postponed the problem until libneon24 upgraded to openssl 0.9.8. I found that a workaround is to limit the ciphers on the Apache end. Removing all SSLv3 ciphers except RC4 seems to do the trick. For example, my apache2 configuration now has: SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA and subversion works again. This is a drastic measure, of course, but I need my subversion repository to work. I didn't reopen this bug because it's really a problem with openssl, but maybe it's worth keeping this around so other people can find it. -jim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#336373: workaround
[Jim Paris] This is definitely the openssl bug. It appears that the fix in subversion 1.2.3dfsg1-3 only postponed the problem until libneon24 upgraded to openssl 0.9.8. That seems unlikely since libneon24 in unstable uses openssl 0.9.8. ...E, wait, are you saying openssl 0.9.7 has the bug, or 0.9.8? I will ask people to retest with subversion 1.3.0-1, which uses libneon25 and (opensel 0.9.8), as soon as our 1.3.0-1 gets through NEW processing and into experimental. I found that a workaround is to limit the ciphers on the Apache end. Removing all SSLv3 ciphers except RC4 seems to do the trick. For example, my apache2 configuration now has: SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA Thanks for the workaround! Peter signature.asc Description: Digital signature
Bug#336373: workaround
This is definitely the openssl bug. It appears that the fix in subversion 1.2.3dfsg1-3 only postponed the problem until libneon24 upgraded to openssl 0.9.8. That seems unlikely since libneon24 in unstable uses openssl 0.9.8. ...E, wait, are you saying openssl 0.9.7 has the bug, or 0.9.8? I'm not quite sure what you mean. I'm using 0.9.8 all around. As far as I can tell, the bug was introduced in openssl 0.9.8, and only shows up when both client and server are 0.9.8. -jim -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#336373: workaround
[Peter Samuelson] That seems unlikely since libneon24 in unstable uses openssl 0.9.8. ...E, wait, are you saying openssl 0.9.7 has the bug, or 0.9.8? Never mind. Having read #338006, all is clear now. Thanks again for the information. Peter signature.asc Description: Digital signature