Jason in a Nutshell

All about programming and whatever else comes to mind

Securing VisualSVN Server

Posted by Jason Baker on December 10, 2008

Apparently, VisualSVN has a bit of a security vulnerability:  it uses Apache’s default settings for mod_ssl.  This means that it uses the insecure SSL v2.  Not that SSL v3 is perfectly secure by any stretch of the imagination, but the fix for switching over to SSL v3 is just so simple.

All you have to do is add the following lines to your VisualSVN Server\conf\httpd-custom.conf file (or change the lines to this if they’re different):

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

I’d recommend doing this as the SSLv3 protocol has been well supported for a long time (Netscape released it around ’96 because of the vulnerabilities in SSLv2).

UPDATE:  I’m told that this will be fixed in a future version of VisualSVN.    Also, you should make the changes in httpd-custom.conf rather than httpd.conf.

UPDATE 2:  As of VisualSVN 1.6.4 (and possibly older releases), this seems to have been fixed.

Advertisements

One Response to “Securing VisualSVN Server”

  1. Thanks a lot for catching this nit! We’ll definitely add these configuration commands to default VisualSVN Server installation.

    Currently I recommend you to add these lines to httpd-custom.conf file instead of httpd.conf file. Since VisualSVN Server regenerates httpd.conf file on upgrade and reconfiguration.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: