Bug#784153: don't use TLSv1 by default, use SSLv23

Emmanuel Lepage emmanuel.lepage at savoirfairelinux.com
Mon May 4 16:23:12 UTC 2015


Hello again,

We will do the TLS method selection on our side rather and set a
minimum protocol version rather than do this. Anyway, we don't use
OpenSSL anymore and force GnuTLS, so this document is not really
relevant to the current state of the Ring project.

----- Original Message -----
From: "Daniel Pocock" <daniel at pocock.pro>
To: "Emmanuel Lepage" <emmanuel.lepage at savoirfairelinux.com>, 784153 at bugs.debian.org
Sent: Monday, May 4, 2015 12:00:06 PM
Subject: Re: Bug#784153: don't use TLSv1 by default, use SSLv23

On 04/05/15 17:11, Emmanuel Lepage wrote:
> Hello,
> 
> (SFLphone/Ring developer here)
> 
> In the newer releases, now called Ring, we removed SSLv23 as in
> our opinion it never really made sense. The new default is
> "automatic" and will pick TLS v1."best" and try to fallback.
> SSL is 20 years old, broken, vulnerable and deprecated. The
> reason why we kept it is to support some old, buggy SIP servers.
> 
> In my opinion, if you are to remove options from our TLS method
> dropdown, drop SSLv23. (unless I missed something).


Thanks for the fast reply

Please have a look at the SSLv23_method() document
https://www.openssl.org/docs/ssl/SSL_CTX_new.html

SSLv23_method does not enable SSLv2 or SSLv3 if they are removed from
OpenSSL

SSLv23_method is simply a wildcard method with a very bad name.  It
should probably be called SSLv23_or_any_TLS_method() because it will
actually enable selection of ANY SSL or TLS version that is present in
the OpenSSL library.

If you use TLSv1_method as default it is actually worse because it
prevents the client working with a server that insists on TLS v1.1 or v1.2



More information about the Pkg-voip-maintainers mailing list