This repository has been archived by the owner on May 24, 2022. It is now read-only.
Fix TLS setting to use TLS 1.x (support TLS 1.1/1.2) #138
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When we run using "--tls" (default) we create the SSL context with a TLSv1_*_method(), however, this _only_ supports TLS 1.0 connections. In contrast, when we run with "--ssl" we use a SSLv23_*_method() which allows all supported protocols. We block SSL 2.0 by passing in the SSL_OP_NO_SSLv2 flag in SSL_CTX_set_options. This results in the somewhat counterintuitive situation where the supported protocols are: * --tls: TLS 1.0 * --ssl: SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2 This patch fixes the handling of "--tls" so that it supports TLS 1.x while ensuring SSL 3.0 is blocked (SSL 2.0 is always blocked). This all assumes an OpenSSL library capable of supports newer TLS versions, otherwise, the above change will have no effect on stud's behaviour (ie. --ssl supports SSL 3.0/TLS 1.0, --tls supports TLS 1.0).
This change also provides a reasonable solution to the recently released POODLE vulnerability. http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html |
bueti
pushed a commit
to cmeury/stud
that referenced
this pull request
Oct 15, 2014
Original commit message: Fix TLS setting to use TLS 1.x (support TLS 1.1/1.2) When we run using "--tls" (default) we create the SSL context with a TLSv1_*_method(), however, this _only_ supports TLS 1.0 connections. In contrast, when we run with "--ssl" we use a SSLv23_*_method() which allows all supported protocols. We block SSL 2.0 by passing in the SSL_OP_NO_SSLv2 flag in SSL_CTX_set_options. This results in the somewhat counterintuitive situation where the supported protocols are: * --tls: TLS 1.0 * --ssl: SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2 This patch fixes the handling of "--tls" so that it supports TLS 1.x while ensuring SSL 3.0 is blocked (SSL 2.0 is always blocked). This all assumes an OpenSSL library capable of supports newer TLS versions, otherwise, the above change will have no effect on stud's behaviour (ie. --ssl supports SSL 3.0/TLS 1.0, --tls supports TLS 1.0). see bumptech#138
petemod
added a commit
to petemod/stud
that referenced
this pull request
Oct 19, 2014
mendsley
added a commit
to mendsley/stud
that referenced
this pull request
Oct 21, 2014
svpcom
added a commit
to svpcom/stud
that referenced
this pull request
Feb 22, 2015
Merge remote-tracking branch 'source/pr/138'
jperkin
pushed a commit
to TritonDataCenter/pkgsrc-legacy
that referenced
this pull request
Mar 4, 2015
jperkin
pushed a commit
to TritonDataCenter/pkgsrc-legacy
that referenced
this pull request
Mar 4, 2015
jsonn
pushed a commit
to jsonn/pkgsrc
that referenced
this pull request
Mar 5, 2015
Bump PKGREVISION.
berenddeboer
added a commit
to berenddeboer/stud
that referenced
this pull request
Nov 30, 2015
Closing PR as project is no longer maintained. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When we run using "--tls" (default) we create the SSL context with a
TLSv1_method(), however, this only supports TLS 1.0 connections. In
contrast, when we run with "--ssl" we use a SSLv23_method() which
allows all supported protocols. We block SSL 2.0 by passing in the
SSL_OP_NO_SSLv2 flag in SSL_CTX_set_options. This results in the
somewhat counterintuitive situation where the supported protocols are:
This patch fixes the handling of "--tls" so that it supports TLS 1.x
while ensuring SSL 3.0 is blocked (SSL 2.0 is always blocked).
This all assumes an OpenSSL library capable of supports newer TLS
versions, otherwise, the above change will have no effect on stud's
behaviour (ie. --ssl supports SSL 3.0/TLS 1.0, --tls supports TLS 1.0).