Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Allow specific SSL/TLS versions to be disabled #208
referenced this pull request
Mar 31, 2016
Your great patch is much appreciated. We are considering to apply your patch into the SoftEther VPN main tree.
SoftEther VPN Patch Acceptance Policy:
You have two options which are described on the above policy.
I recommend instead of the #208 patch which adds a lot of unnecessary code which needs to be maintained and complicates the design, to instead simply disable all older protocols by default. More code means more potential for exploit. And, these older protocols should never be used by anyone, they are no longer safe.
Also, the SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2 options have been deprecated since OpenSSL 1.1.0 and should be replaced by SSL_CTX_set_min_proto_version and SSL_CTX_set_max_proto_version instead. Reference: https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_options.html
My proposed code change:
Do not modify the Cedar.c, Cedar.h or Network.h files. And, in Cedar/Connection.c and Cedar/Server.c, remove any code involving AcceptOnlyTls, it is no longer needed.
In the StartSSLEx method in src/Mayaqua/Network.c, remove the code for the AcceptOnlyTls setting completely and add the following. Note: 0 in the max proto setting means up to the highest version supported:
If you would like, you could add a define somewhere in the header for providing the default minimum and maximum TLS versions and/or retrieve it via a user provided setting. But, I leave that up to you.
My code can be provided to both the commercial and GPL versions under Option 1. I hope this decision will help provide the needed security, privacy and safety to everyone equally.
Edit: I changed max to 0 so that we take advantage of the next protocol that is released after TLS 1.2 automatically.
Thank you so much for your contribution to enrich the SoftEther VPN source code.
Your patch has been merged on the main source-tree of SoftEther VPN.
As a token of our gratitude, your GitHub username has been added on the AUTHORS.TXT file and on the header of the related source file.
Thanks again for your contribution.