Bug#772632: OpenSSL security/interop recommendations

Daniel Pocock daniel at pocock.pro
Tue Dec 9 10:51:14 UTC 2014


Package: repro
Version: 1.9.7-1
Severity: serious

After discussion on debian-security, two specific issues have been
identified[1] that have an impact on security support and
interoperability with TLS:

a) avoiding the TLSv1_method in the OpenSSL API and just using SSLv23_method

b) not trying to use TLS 1.2 when acting as a client as there are
sometimes problems with the way some servers respond[2]

Point (a) was fixed more comprehensively in the upstream 1.9.8 release
but can be fixed with a more concise and targetted patch for jessie.

Point (b) was not addressed upstream yet but is also trivial to address
in a manner that is suitable for the freeze process.


1. https://lists.debian.org/debian-security/2014/12/msg00032.html

2. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666051#28



More information about the Pkg-voip-maintainers mailing list