Bug#772480: improve administrative control over TLS, phase out SSL v3.0
Daniel Pocock
daniel at pocock.pro
Sun Dec 7 17:03:06 UTC 2014
Package: repro
Version: 1.9.7-1
Severity: important
Many sites wish to eliminate their use of SSL v3.0
The repro proxy uses TLS v1.0 (OpenSSL TLSv1_method) by default.
The SIP stack offers developers a choice of
- SSLv23_method without any control over the options to disable SSLv3
- TLSv1_method for v1.0 only (not TLS v1.1 and beyond)
The proxy does not allow administrative control over the cipher list.
The upstream v1.9.8 release addresses all these issues:
- config option for setting the cipher list, so administrators can
eliminate ciphers if they become vulnerable during the life of jessie
- config options for setting/clearing OpenSSL flags to disable SSLv3
- config option for the administrator to choose SSLv23 as a way to
enable TLS v1.1 and TLS v1.2 (boosting security and compatibility)
More information about the Pkg-voip-maintainers
mailing list