Re: [PATCH spice-server v2] Use TLS version 1.0 or better

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Nov 28, 2013 at 10:39:34AM +0100, David Jaša wrote:
> Christophe Fergeau píše v St 27. 11. 2013 v 17:48 +0100:
> > On Wed, Nov 27, 2013 at 05:39:31PM +0100, David Jaša wrote:
> > > From fe1531dfae23baa6dfc8b88e08f273906196e1c5 Mon Sep 17 00:00:00 2001
> > > From: =?UTF-8?q?David=20Ja=C5=A1a?= <djasa@xxxxxxxxxx>
> > > Date: Wed, 27 Nov 2013 17:04:41 +0100
> > > Subject: [PATCH] Use TLS version 1.0 or better
> > > 
> > > When creating a TLS socket, both spice-server and spice-gtk currently
> > > call SSL_CTX_new(TLSv1_method()). The TLSv1_method() function set the
> > > protocol version to TLS 1.0 exclusively. The correct way to support
> > > multiple protocol versions is to call SSLv23_method() in spite of its
> > > scary name. This method will enable all protocol versions deemed secure
> > > by openssl project.
> > 
> > This is not what the manpage says
> > 
> > SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)
> > 
> >            A TLS/SSL connection established with these methods will understand
> > the SSLv2, SSLv3, and TLSv1 protocol. A client will send out SSLv2 client hello
> > messages and will indicate that it also understands SSLv3 and TLSv1. A server
> > will understand SSLv2, SSLv3, and TLSv1 client hello messages. This is the best
> > choice when compatibility is a concern.
> > 
> > (nothing about protocol versions deemed secure or not secure)
> 
> Actually the documentation is outdated and the method name is
> misleading.

Can you file a bug so that the doc gets fixed?

> I was pointed to this fact by Tomáš Mráz, an openssl
> developer and Fedora/RHEL maintainer. The thing works as described by
> comit message and comment, the test results confirm it.

Hmm, did you test which SSL version were available when SSL_OP_NO_* is not
used? Part of the comments is about this behaviour, I'd rather we don't
mention this at all since anyway it's not important as SSL_OP_NO_* is set.

Christophe

Attachment: pgpherapJYLLv.pgp
Description: PGP signature

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]