Am 02.05.2016 um 23:23 schrieb Simon Horman:
* It is not at all clear to me that the patch above
disables SSLv3.
No, that was a separate patch I think. Interesting that I do not find it
in my archive of this list :-/
I attached it for reference, but did not check, if it applies cleanly to
the current HEAD of perdition.
I believe a separate change to allow users to select
which SSL/TLS
protocol versions are enabled may be worth adding to perdition.
But I'm not sure of a way to do that cleanly which doesn't require
updating perdition each time the underlying SSL/TLS implementation,
currently OpenSSL, adds support for a new protocol.
The protocol option should be a text string that is just given to
OpenSSL, so you do not need to change code for a new protocol... but the
whole thing does not really scale up and is no fun, just see the support
for Forward Secrecy. Everytime you want to use a new feature of OpenSSL
you have to integrate a bunch of options, configurations etc. to be able
to use those features.
It seems to me that OpenSSL addresses this issue with its Version 1.1,
the recent announcement sounded like there will finally be a kind of
separate configuration file just for the SSL. So all your software needs
to know as an option is something like "path to openSSL config file".
But there will be some time going by until OpenSSL 1.1 is available in
the distros...
Regards
Matthias
--
Dipl.-Inf. Matthias Hunstock
UniRZ der TU Ilmenau, Raum 07
Tel.: +49 3677 69-1289