Bug#772480: improve administrative control over TLS, phase out SSL v3.0

Daniel Pocock daniel at pocock.pro
Sun Dec 7 17:03:06 UTC 2014


Package: repro
Version: 1.9.7-1
Severity: important

Many sites wish to eliminate their use of SSL v3.0

The repro proxy uses TLS v1.0 (OpenSSL TLSv1_method) by default.

The SIP stack offers developers a choice of

- SSLv23_method without any control over the options to disable SSLv3
- TLSv1_method for v1.0 only (not TLS v1.1 and beyond)

The proxy does not allow administrative control over the cipher list.

The upstream v1.9.8 release addresses all these issues:

- config option for setting the cipher list, so administrators can
eliminate ciphers if they become vulnerable during the life of jessie

- config options for setting/clearing OpenSSL flags to disable SSLv3

- config option for the administrator to choose SSLv23 as a way to
enable TLS v1.1 and TLS v1.2 (boosting security and compatibility)



More information about the Pkg-voip-maintainers mailing list