Re: SSL 3.0 and older ciphers selected in applications

["Thijs Kinkhorst" <thijs@debian.org>]

On Mon, December 8, 2014 11:17, Daniel Pocock wrote:
> In the library package (libresiprocate-1.9.deb) there is no default
> SSL/TLS mode.  It uses whatever the project using the library selects.
> If some developer wants to enable dynamic selection of TLS version by
> using SSLv23_method then they are going to get SSLv3 too.  So I put the
> security tag on that bug and made it serious.  If the possible use of
> SSL v3 is not RC though I can change the severity of that bug down to
> important though.

In non-browser situations I see the possible use as SSLv3 currently as
undesirable but not as a critical issue. So changes addressing that now
have missed the freeze deadline. Pity, but nothing can be done about that.

> What is your impression of the cipher list though?  Should the MEDIUM
> entries, DES and RC4 stuff be in there or should I be getting rid of
> those and would that potentially justify an unblock or security bug?

Although we're striving to remove said protocols in jessie, I do not think
there's currently an acute security issue if they are enabled. And as you
said yourself, there's a compatibility question at stake in your ecosystem
which I know nothing about.

All in all I see no issues here that would warrant a DSA if they should be
present. So that makes it clear to me that a freeze exception on these
grounds is currently also not in reach.

> Should lintian possibly scan packages to see if they define cipher lists
> so they can be checked across the whole distribution or is that already
> checked in some way?

Would be nice, but I'm not sure I can devise a check that would recognise
cipher lists in a reliable way.

Cheers,
Thijs