Hi all, I've made some changes to TLS code in reSIProcate
- setting OpenSSL's SSL_OP_NO_SSLv3 by default when using SSLv23_method() - adding configuration options to override the options to SSL_CTX_set_options (as it is possible there will be some user with old VoIP hardware out there who wants SSL v3) - making the cipher list configurable in repro.config The release team didn't feel these things justify an unblock request[1]. Can anybody comment on this? Looking at the CVE details[2], it appears that some packages still support SSL v3 while I've heard many people just want to turn it off. Is it important for application developers to try and minimize the use of SSL v3 and older ciphers or will these things be phased out by changing the options centrally in the OpenSSL packages? I felt that by putting control of these things in the libresip API and the repro.config file it would help avoid situations where the package needs to be recompiled to deal with security patching and therefore reduce the burden on the security updates process. If it will help the release team, is there anybody from the security team who could review the changes in my debdiff? Regards, Daniel 1. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772487 2. https://security-tracker.debian.org/tracker/CVE-2014-3566 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
