On Tue, May 03, 2016 at 09:33:25AM +0200, Matthias Hunstock wrote:
Am 02.05.2016 um 23:23 schrieb Simon Horman:
* It is not at all clear to me that the patch
above disables SSLv3.
No, that was a separate patch I think. Interesting that I do not find it
in my archive of this list :-/
I attached it for reference, but did not check, if it applies cleanly to
the current HEAD of perdition.
Thanks.
I like your patch and I think its a clean way for people to close
the gaps. However, for a release I think it would be worth making things
configurable.
As OpenSSL seems to advocate a continuous range of protocol versions
being enabled I have gone for an approach of providing configuration
options for the minimum and maximum protocol version. With SSLv3
and earlier are disabled by default.
Please find my first cut of the patch attached.
At this point it is only very lightly tested.
Testing and review by interested parties would be appreciated.
I plan to follow up with patches of a similar style to allow
configuration of the other OpenSSL options in your patch:
disable compression and set cipher server preference.
I believe a
separate change to allow users to select which SSL/TLS
protocol versions are enabled may be worth adding to perdition.
But I'm not sure of a way to do that cleanly which doesn't require
updating perdition each time the underlying SSL/TLS implementation,
currently OpenSSL, adds support for a new protocol.
The protocol option should be a text string that is just given to
OpenSSL, so you do not need to change code for a new protocol... but the
whole thing does not really scale up and is no fun, just see the support
for Forward Secrecy. Everytime you want to use a new feature of OpenSSL
you have to integrate a bunch of options, configurations etc. to be able
to use those features.
It seems to me that OpenSSL addresses this issue with its Version 1.1,
the recent announcement sounded like there will finally be a kind of
separate configuration file just for the SSL. So all your software needs
to know as an option is something like "path to openSSL config file".
Yes, it does seem a lot like that.
But there will be some time going by until OpenSSL 1.1
is available in
the distros...
Interesting. That does sound promising.
Regards
Matthias
--
Dipl.-Inf. Matthias Hunstock
UniRZ der TU Ilmenau, Raum 07
Tel.: +49 3677 69-1289