On Sun, Dec 14, 2014 at 23:01:49 +0000, Adam D. Barratt wrote:
> On Thu, 2014-12-04 at 17:05 +0100, Tino Mettler wrote:
> > syncevo-http-server only supports SSLv3 and no TLS connections when using
> > HTTPS. This is
> >
> > 1. a potential security risk, as shown by the poodle attack
> >
> > 2. a problem with the SyncML client of syncevolution in sid and jessie, as
> > SSLv3 connections won't work anymore ('Error performing TLS handshake:
> > GnuTLS internal error.') when using HTTPS. So the Syncevolution SyncML
> > client can't connect to the SyncML server provided by the same version of
> > syncevolution.
> >
> > The fix is rather small. A patch against upstream (no debdiff) is attached.
>
> - sslmethod = SSL.SSLv3_METHOD):
> + sslmethod = SSL.TLSv1_METHOD):
>
> Is there a reason not to use SSLv23_METHOD here? Note that TLSv1_METHOD
> only enables support for TLS 1.0 - it will _not_ support TLS 1.1 or 1.2.
>
> If what you're looking for is "any version of TLS", then you want to be
> using SSLv23_METHOD and setting the OP_NO_SSLv2 and OP_NO_SSLv3 flags.
Hi,
thanks for all the hints. I tried to find documentation regarding this
when I crafted the patch, but failed. This is the reason for just using
TLSv1_METHOD.
With your new keywords I found proper documentation. I'll look into it,
but I think the current state is valid and way better than before.
Regards,
Tino
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
