Move back to OpenSSL 1.1.0?

[Andreas Hestermeyer]

I wonder whether it would be feasible to return to OpenSSL 1.1.0 for Tortoise SVN. 1.1.1 doesn't with with >= TLS 1.2 and client certificates. Using client certificates seems to be a great security advantage, if an SVN server is exposed to the internet. 

Anybody has thoughts on this?

Best regards,

Andreas

[Daniel Sahlberg]

lördag 23 april 2022 kl. 18:22:14 UTC+2 skrev a.hest...@gmail.com:

I wonder whether it would be feasible to return to OpenSSL 1.1.0 for Tortoise SVN. 1.1.1 doesn't with with >= TLS 1.2 and client certificates. Using client certificates seems to be a great security advantage, if an SVN server is exposed to the internet. 

Anybody has thoughts on this?

Moving back to a version last updated in september 2019 (eol 2019-09-11) seems like a risky choice security wise. But you may be able to compile it yourself.

I don't know what the situation would be if updating to OpenSSL 3.0 but that seems to be a better way forward.

Daniel

[Andreas Hestermeyer]

I agree. I digged a bit deeper on this and here is my analysis result and suggestion:

1. I understand SVN & TortoiseSVN work with P12-formatted certificates only.

2. This format is supported by OpenSSL only, if the "legacy" provider is activated. Easy to proof that reproducible on Linux: Install openssl 3.x and without activating the legacy-provider it won't support P12 (aka PFX) certificates. The "legacy" profider needs to be activated in openssl.cfn. 

3. I understand TortoiseSVN's usage of OpenSSL isn't configurable. So there should be an option to switch on the legacy crypto providers OR it should be made configurable. I think there needs to be a config call with legacy provider enabled during startup of openssl.

I am not very familiar with the TortoiseSVN code - so it would be fantastic if somebody knowledgeable would give it a try.

Best regards,

Andreas