Bug#784153: don't use TLSv1 by default, use SSLv23
Daniel Pocock
daniel at pocock.pro
Mon May 4 16:00:06 UTC 2015
On 04/05/15 17:11, Emmanuel Lepage wrote:
> Hello,
>
> (SFLphone/Ring developer here)
>
> In the newer releases, now called Ring, we removed SSLv23 as in
> our opinion it never really made sense. The new default is
> "automatic" and will pick TLS v1."best" and try to fallback.
> SSL is 20 years old, broken, vulnerable and deprecated. The
> reason why we kept it is to support some old, buggy SIP servers.
>
> In my opinion, if you are to remove options from our TLS method
> dropdown, drop SSLv23. (unless I missed something).
Thanks for the fast reply
Please have a look at the SSLv23_method() document
https://www.openssl.org/docs/ssl/SSL_CTX_new.html
SSLv23_method does not enable SSLv2 or SSLv3 if they are removed from
OpenSSL
SSLv23_method is simply a wildcard method with a very bad name. It
should probably be called SSLv23_or_any_TLS_method() because it will
actually enable selection of ANY SSL or TLS version that is present in
the OpenSSL library.
If you use TLSv1_method as default it is actually worse because it
prevents the client working with a server that insists on TLS v1.1 or v1.2
More information about the Pkg-voip-maintainers
mailing list