discard this misformatted message please.
David Jaša píše v St 27. 11. 2013 v 17:39 +0100:
> From fe1531dfae23baa6dfc8b88e08f273906196e1c5 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?David=20Ja=C5=A1a?= <djasa@xxxxxxxxxx>
> Date: Wed, 27 Nov 2013 17:04:41 +0100
> Subject: [PATCH] Use TLS version 1.0 or better
>
> When creating a TLS socket, both spice-server and spice-gtk currently
> call SSL_CTX_new(TLSv1_method()). The TLSv1_method() function set the
> protocol version to TLS 1.0 exclusively. The correct way to support
> multiple protocol versions is to call SSLv23_method() in spite of its
> scary name. This method will enable all protocol versions deemed secure
> by openssl project. The protocol suite may be further narrowed down by
> setting respective SSL_OP_NO_<version_code> options of SSL context. This
> possibility is used in this patch in order to block use of SSLv3 that is
> enabled by default in openssl as of now but spice has never used it.
> ---
> server/reds.c | 10 +++++++++-
> 1 files changed, 9 insertions(+), 1 deletions(-)
>
> diff --git a/server/reds.c b/server/reds.c
> index 2a0002b..fef666d 100644
> --- a/server/reds.c
> +++ b/server/reds.c
> @@ -3221,6 +3221,14 @@ static int reds_init_ssl(void)
> SSL_METHOD *ssl_method;
> #endif
> int return_code;
> + /* When some other SSL/TLS version becomes obsolete, add it to this
> + * variable.
> + *
> + * Note that SSLv23_method() even with no SSL_OP_NO_* options uses
> + * just protocol versions deemed secure by openssl project so the
> + * SSL_OP_NO_SSLv2 is already redundant and SSL_OP_NO_SSLv3 option is
> + * present just in order to allow only currently-availabe version or
> + * better. */
> long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
>
> /* Global system initialization*/
> @@ -3228,7 +3236,7 @@ static int reds_init_ssl(void)
> SSL_load_error_strings();
>
> /* Create our context*/
> - ssl_method = TLSv1_method();
> + ssl_method = SSLv23_method();
> reds->ctx = SSL_CTX_new(ssl_method);
> if (!reds->ctx) {
> spice_warning("Could not allocate new SSL context");
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@xxxxxxxxxxxxxxxxxxxxx
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
--
David Jaša, RHCE
SPICE QE based in Brno
GPG Key: 22C33E24
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel