On 04/05/15 17:11, Emmanuel Lepage wrote: > Hello, > > (SFLphone/Ring developer here) > > In the newer releases, now called Ring, we removed SSLv23 as in > our opinion it never really made sense. The new default is > "automatic" and will pick TLS v1."best" and try to fallback. > SSL is 20 years old, broken, vulnerable and deprecated. The > reason why we kept it is to support some old, buggy SIP servers. > > In my opinion, if you are to remove options from our TLS method > dropdown, drop SSLv23. (unless I missed something).
Thanks for the fast reply Please have a look at the SSLv23_method() document https://www.openssl.org/docs/ssl/SSL_CTX_new.html SSLv23_method does not enable SSLv2 or SSLv3 if they are removed from OpenSSL SSLv23_method is simply a wildcard method with a very bad name. It should probably be called SSLv23_or_any_TLS_method() because it will actually enable selection of ANY SSL or TLS version that is present in the OpenSSL library. If you use TLSv1_method as default it is actually worse because it prevents the client working with a server that insists on TLS v1.1 or v1.2 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
