Am 10.05.2016 um 15:27 schrieb Simon Horman:
On Tue, May 03, 2016 at 09:33:25AM +0200, Matthias
Hunstock wrote:
I attached it for reference, but did not check,
if it applies cleanly to
the current HEAD of perdition.
Thanks.
I like your patch and I think its a clean way for people to close
the gaps. However, for a release I think it would be worth making things
configurable.
As OpenSSL seems to advocate a continuous range of protocol versions
being enabled I have gone for an approach of providing configuration
options for the minimum and maximum protocol version. With SSLv3
and earlier are disabled by default.
This sounds sane and I think all users will appreciate that.
I probably did not suggest my patch earlier, because it's kind of hacky
to just hard-disable all the evil things ;)
I plan to follow up with patches of a similar style to
allow
configuration of the other OpenSSL options in your patch:
disable compression and set cipher server preference.
I personally do not see sensible use cases for compression or client
cipher preference, but having them as runtime configure option is of
course the best choice, as long as the defaults are sane.
Regards
Matthias