Re: SSL 3.0 and older ciphers selected in applications

To: Daniel Pocock <daniel@pocock.pro>
Cc: 772487@bugs.debian.org, debian-security@lists.debian.org
Subject: Re: SSL 3.0 and older ciphers selected in applications
From: Kurt Roeckx <kurt@roeckx.be>
Date: Mon, 8 Dec 2014 20:06:31 +0100
Message-id: <[🔎] 20141208190631.GA20827@roeckx.be>
In-reply-to: <[🔎] 5485F12E.9090808@pocock.pro>
References: <[🔎] 20141208101220.GA13316@roeckx.be> <[🔎] 54858094.6070304@pocock.pro> <[🔎] 20141208113655.GA25596@roeckx.be> <[🔎] 54859797.6070304@pocock.pro> <[🔎] 20141208125312.GC11304@roeckx.be> <[🔎] 5485A904.4090504@pocock.pro> <[🔎] 20141208175834.GA11879@roeckx.be> <[🔎] 5485EC69.2030509@pocock.pro> <[🔎] 20141208182501.GA3453@roeckx.be> <[🔎] 5485F12E.9090808@pocock.pro>

On Mon, Dec 08, 2014 at 07:42:54PM +0100, Daniel Pocock wrote:
> 
> Is it something that is going to happen with Ubuntu releases next year
> (e.g. April 2015)?
> 
> If so, it means that the repro package in jessie won't talk to a repro
> package in Ubuntu.

I think there is some misunderstanding.

People have been using methods like SSLv3_* and TLSv1_* while they
should use SSLv23_*.  SSLv3_* only support SSL 3.0, TLSv1_* only
support TLS 1.0, it does not support SSL 3.0 or TLS 1.1.  SSLv23_*
on the other hand supports all versions supported by library (but
see below).  The intention is to drop all methods that only
support 1 protocol version and instead have only methods that
support all versions (SSLv23).

The library in jessie supports TLS 1.0 to TLS 1.2.  However the
the SSLv3 methods still exist in jessie so you can still talk SSL
3.0 in jessie.  However the SSLv23 methods do not support SSL 3.0
in jessie anymore.  They still supports SSL 3.0 in wheezy.  That
means if one side uses SSLv3_* and the the verion in jessie or
later use SSLv23_* they will not talk to each other.  And there
are packages that have been fixed to stop using the SSLv3_*
methods in jessie and they will not talk to the version in wheezy.
The versie in wheezy really should also get fixed to use the
SSLv23_* method.

The SSLv3_* method has been removed in experimental and the
TLSv1_* method will also be removed post jessie but I have no
timeframe for that.  But everybody really should only use the
SSLv23_* methods.

But the removal of the TLSv1_* methods should not cause any issue
if you replace it by the SSLv23_* methods since there currently
are no plans to drop support for TLS 1.0.

Kurt

Reply to:

Follow-Ups:
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Daniel Pocock <daniel@pocock.pro>

References:
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Daniel Pocock <daniel@pocock.pro>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Daniel Pocock <daniel@pocock.pro>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Daniel Pocock <daniel@pocock.pro>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Daniel Pocock <daniel@pocock.pro>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Daniel Pocock <daniel@pocock.pro>

Prev by Date: Re: SSL 3.0 and older ciphers selected in applications
Next by Date: Re: SSL 3.0 and older ciphers selected in applications
Previous by thread: Re: SSL 3.0 and older ciphers selected in applications
Next by thread: Re: SSL 3.0 and older ciphers selected in applications
Index(es):
- Date
- Thread