Source: cone
Version: 0.89-1
Severity: serious
Control: block 797926 by -1
Hi,
./tcpd/libcouriertls.c has this piece of code:
ctx=SSL_CTX_new(protocol && strcmp(protocol, "SSL3") == 0
? SSLv3_method():
protocol && strcmp(protocol, "SSL23") == 0
? SSLv23_method():
TLSv1_method());
In unstable the SSLv3_method has just been removed.
The SSLv23_* method can talk multiple version while SSLv3_* and
TLSv_* only talk one.
You have this in the documentation:
##NAME: TLS_PROTOCOL:0
#
# TLS_PROTOCOL sets the protocol version. The possible versions
# are:
#
# OpenSSL:
#
# SSL3 - SSLv3
# SSL23 - either SSLv2 or SSLv3 (also TLS1, it seems)
# TLS1 - TLS1
SSL23 also talks TLS 1.1 and TLS 1.2. It's the only method that
supports multiple protocol versions. It's name might be
confusing which is why it's been renamed in the master branch to
TLS_*.
Please stop using the version specific methods and just use the
SSLv23_method().
If you want to use limit the versions that are supported please
use SSL_(CTX_)set_options with something like SSL_OP_NO_SSLv3.
I also noticed that you used:
ssl_cipher_list="SSLv3:TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH";
Please note that that at least this causes it to prefer SSLv3
ciphers while there are TLS1.2 ciphers available that you might
prefer instead. I suggest you remove the "SSLv3:TLSv1" part. And
you might want to rename "!NULL" to "!eNULL".
Kurt
