[PATCH spice-server v2] reds: Disable TLS 1.0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



TLS 1.0 is considered now insecure.
TLS 1.1 was introduced in 2006.
Our SPICE clients uses OpenSSL to use TLS and the support for TLS 1.1
in OpenSSL was introduced in 2006 too so even in systems like
Windows XP which are not officially supporting TLS 1.0 will work
with SPICE and TLS 1.1.
This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1521053.

Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
---
 server/reds.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Changes since v1:
- update comment to be more precise.

diff --git a/server/reds.c b/server/reds.c
index fa5e838a..a31ed4e9 100644
--- a/server/reds.c
+++ b/server/reds.c
@@ -2728,10 +2728,10 @@ static int reds_init_ssl(RedsState *reds)
     static GOnce openssl_once = G_ONCE_INIT;
     const SSL_METHOD *ssl_method;
     int return_code;
-    /* Limit connection to TLSv1 only.
+    /* Limit connection to TLSv1.1 or newer.
      * When some other SSL/TLS version becomes obsolete, add it to this
      * variable. */
-    long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
+    long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION | SSL_OP_NO_TLSv1;
 
     /* Global system initialization*/
     g_once(&openssl_once, openssl_global_init, NULL);
-- 
2.14.3

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]