In kannel-1.4.4/gwlib/conn.c, conn_init_ssl() uses SSLv23_client_method(), and server_ssl_init() uses SSLv23_server_method(). The SSL_CTX_new(3SSL) manual page says those support all of SSLv2, SSLv3, and TLSv1; and openssl-1.0.1f/ssl/s23_clnt.c shows that they support TLSv1.1 and TLSv1.2 as well. Thus, I think Kannel should already be able to connect to a server that allows only TLSv1, if the server at least understands SSLv2 client hello messages.
If you want to prevent Kannel from using SSLv2 and SSLv3, I guess Kannel could be changed to call SSL_CTX_set_options or SSL_set_options with SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 options. It would perhaps be easiest to do that to global_ssl_context and global_server_ssl_context so that the options apply to all SSL objects. Is there any scenario in which one would want to support SSLv3 on some connections but not on all? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
