Securing VisualSVN Server
Posted by Jason Baker on December 10, 2008
Apparently, VisualSVN has a bit of a security vulnerability: it uses Apache’s default settings for mod_ssl. This means that it uses the insecure SSL v2. Not that SSL v3 is perfectly secure by any stretch of the imagination, but the fix for switching over to SSL v3 is just so simple.
All you have to do is add the following lines to your VisualSVN Server\conf\httpd-custom.conf file (or change the lines to this if they’re different):
SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
I’d recommend doing this as the SSLv3 protocol has been well supported for a long time (Netscape released it around ‘96 because of the vulnerabilities in SSLv2).
UPDATE: I’m told that this will be fixed in a future version of VisualSVN. Also, you should make the changes in httpd-custom.conf rather than httpd.conf.
UPDATE 2: As of VisualSVN 1.6.4 (and possibly older releases), this seems to have been fixed.
Ivan Zhakov said
Thanks a lot for catching this nit! We’ll definitely add these configuration commands to default VisualSVN Server installation.
Currently I recommend you to add these lines to httpd-custom.conf file instead of httpd.conf file. Since VisualSVN Server regenerates httpd.conf file on upgrade and reconfiguration.