Bug#772528: disabling SSL v3 support
Daniel Pocock
daniel at pocock.pro
Mon Dec 8 08:01:13 UTC 2014
Package: libresiprocate-1.9
Version: 1.9.7-1
Severity: serious
Tags: security
Thanks to POODLE[1], CVE-2014-3566, many people want to disable SSL v3.0.
The existing reSIProcate library code offers developers a choice between
TLSv1_method() and SSLv23_method()
Using TLSv1_method() disables the SSL v3 support but has other
limitations, e.g. it does not support TLS 1.1 or 1.2.
Despite the name implying SSL v2 or v3, using SSLv23_method() is also
the way to get TLS v1.1 and TLS v1.2. Normally, somebody who wants to
support all TLS versions and not be exposed to SSL v3 issues needs to both:
a) choose SSLv23_method()
b) set the flag SSL_OP_NO_SSLv3 in a call to SSL_CTX_set_options
Currently, reSIProcate does not call SSL_CTX_set_options and does not
provide any API for the application using reSIProcate to call it.
The new upstream release 1.9.8 specifically targets this issue and
provides a static variable BaseSecurity::OpenSSLCTXSetOptions that can
be used to set these flags. Furthermore, it now includes the
SSL_OP_NO_SSLv3 flag by default to ensure that SSL v3 is not active
unless somebody explicitly overrides the flags.
This change in reSIProcate 1.9.8 is ABI compatible with 1.9.7 (it only
adds new static variables and static methods) so there should be no need
for a transition.
1. https://security-tracker.debian.org/tracker/CVE-2014-3566
More information about the Pkg-voip-maintainers
mailing list