Securing VisualSVN Server
Posted by Jason Baker on December 10, 2008
Apparently, VisualSVN has a bit of a security vulnerability: it uses Apache’s default settings for mod_ssl. This means that it uses the insecure SSL v2. Not that SSL v3 is perfectly secure by any stretch of the imagination, but the fix for switching over to SSL v3 is just so simple.
All you have to do is add the following lines to your VisualSVN Server\conf\httpd-custom.conf file (or change the lines to this if they’re different):
SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
I’d recommend doing this as the SSLv3 protocol has been well supported for a long time (Netscape released it around ’96 because of the vulnerabilities in SSLv2).
UPDATE: I’m told that this will be fixed in a future version of VisualSVN. Also, you should make the changes in httpd-custom.conf rather than httpd.conf.
UPDATE 2: As of VisualSVN 1.6.4 (and possibly older releases), this seems to have been fixed.