Re: SSL 3.0 and older ciphers selected in applications

To: Kurt Roeckx <kurt@roeckx.be>
Cc: 772487@bugs.debian.org, debian-security@lists.debian.org
Subject: Re: SSL 3.0 and older ciphers selected in applications
From: Daniel Pocock <daniel@pocock.pro>
Date: Mon, 08 Dec 2014 20:17:53 +0100
Message-id: <[🔎] 5485F961.8080203@pocock.pro>
In-reply-to: <[🔎] 20141208190631.GA20827@roeckx.be>
References: <[🔎] 20141208101220.GA13316@roeckx.be> <[🔎] 54858094.6070304@pocock.pro> <[🔎] 20141208113655.GA25596@roeckx.be> <[🔎] 54859797.6070304@pocock.pro> <[🔎] 20141208125312.GC11304@roeckx.be> <[🔎] 5485A904.4090504@pocock.pro> <[🔎] 20141208175834.GA11879@roeckx.be> <[🔎] 5485EC69.2030509@pocock.pro> <[🔎] 20141208182501.GA3453@roeckx.be> <[🔎] 5485F12E.9090808@pocock.pro> <[🔎] 20141208190631.GA20827@roeckx.be>


On 08/12/14 20:06, Kurt Roeckx wrote:
> On Mon, Dec 08, 2014 at 07:42:54PM +0100, Daniel Pocock wrote:
>>
>> Is it something that is going to happen with Ubuntu releases next year
>> (e.g. April 2015)?
>>
>> If so, it means that the repro package in jessie won't talk to a repro
>> package in Ubuntu.
> 
> I think there is some misunderstanding.
> 
> People have been using methods like SSLv3_* and TLSv1_* while they
> should use SSLv23_*.  SSLv3_* only support SSL 3.0, TLSv1_* only
> support TLS 1.0, it does not support SSL 3.0 or TLS 1.1.  SSLv23_*
> on the other hand supports all versions supported by library (but
> see below).  The intention is to drop all methods that only
> support 1 protocol version and instead have only methods that
> support all versions (SSLv23).
> 
> The library in jessie supports TLS 1.0 to TLS 1.2.  However the
> the SSLv3 methods still exist in jessie so you can still talk SSL
> 3.0 in jessie.  However the SSLv23 methods do not support SSL 3.0
> in jessie anymore.  They still supports SSL 3.0 in wheezy.  That
> means if one side uses SSLv3_* and the the verion in jessie or
> later use SSLv23_* they will not talk to each other.  And there
> are packages that have been fixed to stop using the SSLv3_*
> methods in jessie and they will not talk to the version in wheezy.
> The versie in wheezy really should also get fixed to use the
> SSLv23_* method.
> 
> The SSLv3_* method has been removed in experimental and the
> TLSv1_* method will also be removed post jessie but I have no
> timeframe for that.  But everybody really should only use the
> SSLv23_* methods.
> 
> But the removal of the TLSv1_* methods should not cause any issue
> if you replace it by the SSLv23_* methods since there currently
> are no plans to drop support for TLS 1.0.
> 

What we have right now in jessie (and wheezy) is hard-coded to use
TLSv1_method.

The v1.9.8-1 upload to unstable, which will also propagate to the next
Ubuntu and will also be uploaded to Fedora very soon, uses SSLv23_method

If I understand your reply correctly, the version in Ubuntu and Fedora
will still talk TLS 1.0 with the version now waiting in jessie?

Do you believe it would be reasonable for me to request a smaller
unblock that just changes the call TLSv1_method to SSLv23_method?

Reply to:

Follow-Ups:
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Kurt Roeckx <kurt@roeckx.be>

References:
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Daniel Pocock <daniel@pocock.pro>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Daniel Pocock <daniel@pocock.pro>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Daniel Pocock <daniel@pocock.pro>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Daniel Pocock <daniel@pocock.pro>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Daniel Pocock <daniel@pocock.pro>
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Re: SSL 3.0 and older ciphers selected in applications
Next by Date: Re: SSL 3.0 and older ciphers selected in applications
Previous by thread: Re: SSL 3.0 and older ciphers selected in applications
Next by thread: Re: SSL 3.0 and older ciphers selected in applications
Index(es):
- Date
- Thread