Background for people that haven't heard: https://www.imperialviolet.org/2014/02/22/applebug.html
Subversion on OS X is **NOT** vulnerable to this. First of all the problem is in Apple's SecureTransport functionality. Neither of our HTTP libraries, which we depend on to handle SSL for us, support Apple's SecureTransport in any released version. For neon clients (1.7.x and older, though 1.4.x and newer can be using serf as well), neon only supports OpenSSL or GNUTLS. For serf clients (1.8.x or newer, 1.4.x optionally at configure time, 1.5.x and newer optionally at configure and run time configuration), serf only supports OpenSSL at this time. There is work ongoing to enable SecureTransport and other SSL implementations in Serf but it's unreleased. You can check this by doing: svn cat https://www.imperialviolet.org:1266 You should see an error about the SSL handshake or an error running context or an error connecting to the repository or an error during SSL communication (depending on Subversion version and HTTP Library version). You can of course toggle between http library's with: --config-option servers:global:http-library=serf or --config-option servers:global:http-library=neon If you remove the port number and go to the default https port (which has a well formed certificate and is not a demonstration of the bug), you'll still get an error but it'll be about XML parsing because we got past the SSL session startup and didn't like the response the server sent since it's not actually a Subversion server on the other end.
