On Thu, 2014-12-04 at 17:05 +0100, Tino Mettler wrote:
> syncevo-http-server only supports SSLv3 and no TLS connections when using
> HTTPS. This is
>
> 1. a potential security risk, as shown by the poodle attack
>
> 2. a problem with the SyncML client of syncevolution in sid and jessie, as
> SSLv3 connections won't work anymore ('Error performing TLS handshake:
> GnuTLS internal error.') when using HTTPS. So the Syncevolution SyncML
> client can't connect to the SyncML server provided by the same version of
> syncevolution.
>
> The fix is rather small. A patch against upstream (no debdiff) is attached.
- sslmethod = SSL.SSLv3_METHOD):
+ sslmethod = SSL.TLSv1_METHOD):
Is there a reason not to use SSLv23_METHOD here? Note that TLSv1_METHOD
only enables support for TLS 1.0 - it will _not_ support TLS 1.1 or 1.2.
If what you're looking for is "any version of TLS", then you want to be
using SSLv23_METHOD and setting the OP_NO_SSLv2 and OP_NO_SSLv3 flags.
Regards,
Adam
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
