Bug#772632: OpenSSL security/interop recommendations
Daniel Pocock
daniel at pocock.pro
Tue Dec 9 10:51:14 UTC 2014
Package: repro
Version: 1.9.7-1
Severity: serious
After discussion on debian-security, two specific issues have been
identified[1] that have an impact on security support and
interoperability with TLS:
a) avoiding the TLSv1_method in the OpenSSL API and just using SSLv23_method
b) not trying to use TLS 1.2 when acting as a client as there are
sometimes problems with the way some servers respond[2]
Point (a) was fixed more comprehensively in the upstream 1.9.8 release
but can be fixed with a more concise and targetted patch for jessie.
Point (b) was not addressed upstream yet but is also trivial to address
in a manner that is suitable for the freeze process.
1. https://lists.debian.org/debian-security/2014/12/msg00032.html
2. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666051#28
More information about the Pkg-voip-maintainers
mailing list