[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Chicken-users] OpenSSL egg option defaults poll
From: |
Thomas Chust |
Subject: |
Re: [Chicken-users] OpenSSL egg option defaults poll |
Date: |
Thu, 16 Oct 2014 05:45:16 +0200 (CEST) |
User-agent: |
Alpine 2.03 (LNX 1266 2009-07-14) |
On Thu, 16 Oct 2014, Andy Bennett wrote:
[...]
Having said that, I'm not sure which clients on which operating systems
are SSL 3.0 only.
[...]
Hello Andy,
if I understand the situation correctly, almost nobody uses SSLv3 since it
was quickly superseded by the newer TLS variants. But the initial
connection setup is similar between SSLv2 and SSLv3, while for TLS it is
entirely different and usually one uses the SSLv2 variant with additional
information that TLS is supported, if the other endpoint also supports
TLS, the protocol will then be upgraded. You can tell OpenSSL to support
only SSLv2, only SSLv3, only TLS or all three variants together. But you
cannot specifically exclude SSLv3 and still allow SSLv2 and TLS.
[...]
Have you seen this article by Google about TLS_FALLBACK_SCSV?
[...]
Yes. Whether that security measure is supported depends on the version of
the underlying SSL library, I think it is incorporated in OpenSSL 1.0.1j.
I'm unsure whether anything special needs to be done to activate the
feature.
Personally, I think the big mess of SSL/TLS protocol versions, extension
features and cipher suites is so hideously complex by now that there will
always be some more hidden vulnerabilities %-] For anything truly security
critical I would try to use an alternative protocol with a less convoluted
design and with stronger default crypto algorithms.
Ciao,
Thomas
--
When C++ is your hammer, every problem looks like your thumb.