SSL 3.0 and older ciphers selected in applications
Hi all,
I've made some changes to TLS code in reSIProcate
- setting OpenSSL's SSL_OP_NO_SSLv3 by default when using SSLv23_method()
- adding configuration options to override the options to
SSL_CTX_set_options (as it is possible there will be some user with old
VoIP hardware out there who wants SSL v3)
- making the cipher list configurable in repro.config
The release team didn't feel these things justify an unblock
request[1]. Can anybody comment on this? Looking at the CVE
details[2], it appears that some packages still support SSL v3 while
I've heard many people just want to turn it off.
Is it important for application developers to try and minimize the use
of SSL v3 and older ciphers or will these things be phased out by
changing the options centrally in the OpenSSL packages?
I felt that by putting control of these things in the libresip API and
the repro.config file it would help avoid situations where the package
needs to be recompiled to deal with security patching and therefore
reduce the burden on the security updates process.
If it will help the release team, is there anybody from the security
team who could review the changes in my debdiff?
Regards,
Daniel
1. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772487
2. https://security-tracker.debian.org/tracker/CVE-2014-3566
Reply to: