Bug#784153: don't use TLSv1 by default, use SSLv23

Emmanuel Lepage emmanuel.lepage at savoirfairelinux.com
Mon May 4 15:11:12 UTC 2015


Hello,

(SFLphone/Ring developer here)

In the newer releases, now called Ring, we removed SSLv23 as in
our opinion it never really made sense. The new default is
"automatic" and will pick TLS v1."best" and try to fallback.
SSL is 20 years old, broken, vulnerable and deprecated. The
reason why we kept it is to support some old, buggy SIP servers.

In my opinion, if you are to remove options from our TLS method
dropdown, drop SSLv23. (unless I missed something).

Ring is not ready to replace SFLphone in Sid as we depend on
some pjproject patches. One is to use GnuTLS instead of OpenSSL
and the other to expose certificates and ciphers in the API. We
use this to create a Firefox/Chrome like security asset evaluation
(work in progress). We never had luck getting those kind of patches
merged upstream, so for now we are using a static pjproject lib.

The problem with the old sflphone security features is that they
are way too complicated for the user to configure. In the end this
probably make the whole package less secure. This cannot be fixed
and backported into Jessie, so dropping SSLv23 from the GUI is
probably the least problematic option.

Patches:
https://projects.savoirfairelinux.com/projects/ring-daemon/repository/revisions/master/show/contrib/src/pjproject

----- Original Message -----
From: "Daniel Pocock" <daniel at pocock.pro>
To: submit at bugs.debian.org
Sent: Sunday, May 3, 2015 11:01:18 AM
Subject: Bug#784153: don't use TLSv1 by default, use SSLv23

Package: sflphone-gnome
Version: 1.4.1-0.1+b1
Severity: important

In the Advanced options for a SIP account, on the TLS settings dialog,
TLSv1 is the default

SSLv23_method should be used as default, as discussed in this thread:

https://lists.debian.org/debian-security/2014/12/msg00017.html

_______________________________________________
Pkg-voip-maintainers mailing list
Pkg-voip-maintainers at lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-voip-maintainers



More information about the Pkg-voip-maintainers mailing list