WEBDAV no longer working on a site where it used to. Possible SSL issue in BC?

**timg11** · 14-Jan-2015, 08:44 AM

Here is a detailed view of the Client Hello from BC4 that fails

Here is a detailed view of the Client Hello from Windows that works:

The main differences are BC is sending SSL 3.0, and then TLS 1.2.
Windows is sending TLS 1.0 and then TLS 1.0. It appears the server then changes the cipher spec in the Server Hello.

Update: The server administrator says that SSL 3.0 is vulnerable to Poodle. Can BC4 be configured to connect WEBDAV with TLS?

**Aaron** · 15-Jan-2015, 12:03 PM

Hello,

Thanks for the additional details. I'll add these notes to our tracker entry on the subject and we'll look into this.

**timg11** · 15-Jan-2015, 12:44 PM

Aaron, So there is no workaround currently? If it is true that BC only supports secure WEBDAV using a protocol that has been deprecated due to a security vulnerability, that means developing and releasing a fix will be a very high priority, right?

**Aaron** · 16-Jan-2015, 01:49 PM

It is. We're currently working on majorly upgrading this support, but it's been a large project and we had been hoping to contain it to a larger (4.1) release due to the potential changes in behavior. It looks like we might not be able to wait that long however, so we're evaluating what it would take to get this into a more immediate bug fix release (4.0.x).

**obetz** · 17-Jan-2015, 07:52 AM

It would be really great to have this fixed soon.

**timg11** · 28-Jan-2015, 02:18 PM

I just installed 4.0.5, build 19480, released Jan. 27, 2015 .

I'm still getting the same error message as above. Was this build supposed to fix this issue with WEBDAV and SSL3? I haven't tried the wireshark capture, but I think you (Scooter) can also do it from your side. You don't need a valid login on the site since the server closes the connection before it gets to authentication.

**Aaron** · 29-Jan-2015, 09:54 AM

Thanks, and yes, that's what one of our developers is working on. The example link from your email will remain active and we can test against it for a bit, correct?

**timg11** · 12-Feb-2015, 03:15 PM

Any progress on fixing this in 4.0.6?

**Aaron** · 13-Feb-2015, 10:15 AM

Yes, we have a fix in 4.0.6 that should get this working.

**timg11** · 21-Feb-2015, 01:57 PM

Any projected date for beta testing 4.0.6?

**Aaron** · 23-Feb-2015, 10:18 AM

Hello,

We do not have a set date, but we are currently in testing.

**Chris** · 27-Feb-2015, 04:28 PM

timg11,

We released Beyond Compare 4.0.6 today with a fix for the WebDAV SSL issue, please let us know if the new version doesn't resolve your problem.

**timg11** · 28-Feb-2015, 09:38 AM

Yes, 4.06 fixes the WEBDAV SSL issue, thanks!

WEBDAV no longer working on a site where it used to. Possible SSL issue in BC?

WEBDAV no longer working on a site where it used to. Possible SSL issue in BC?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment