[CalendarServer-users] Protect against new SSL vuln
Jacques Distler
distler at golem.ph.utexas.edu
Thu Oct 16 19:26:29 PDT 2014
On Oct 16, 2014, at 7:41 PM, Pascal Dallaire <pascaldallaire at cre-gim.net> wrote:
> Hello there,
>
> Thanks for answering so quickly! I’m trying to use the older variants method before I upgrade the Calendar server completely. But in this patch, isn’t the best method TLSv1? and not SSLv23?
I was confused by this, too. According to
https://www.openssl.org/docs/ssl/SSL_CTX_new.html
SSLv23_method is a catch-all, allowing connections using SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. You can then exclude particular protocols using, e.g.,
SSL_OP_NO_TLSv1_1
to exclude TLSv1.1 (while still allowing the others).
By contrast, TLSv1_method (or SSLv3_method) allows only connections using that particular protocol (respectively TLSv1 and SSLv3).
That may be OK. All (or almost all) clients speak TLSv1. But it would be preferable to allow them to negotiate a TLSv1.2 connection if possible.
>
> Pascal
>
> Le 2014-10-16 à 12:42, Cyrus Daboo <cdaboo at apple.com> a écrit :
>
>> Hi Pascal,
>>
>> --On October 16, 2014 at 12:38:37 PM -0400 Pascal Dallaire <pascaldallaire at cre-gim.net> wrote:
>>
>>> What is the way to disable SSLv3 in CalendarServer to protect against
>>> POODLE?
>>
>> Our trunk code has the fix. The svn diff for the change is here:
>>
>> <https://trac.calendarserver.org/changeset/14035>
>>
>> Depending on what version you are using, you should be able to apply that change relatively easily. Older variants might also need the following applied:
>>
>> <https://trac.calendarserver.org/changeset/14062>
>>
>> --
>> Cyrus Daboo
>
> _______________________________________________
> calendarserver-users mailing list
> calendarserver-users at lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/calendarserver-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.macosforge.org/pipermail/calendarserver-users/attachments/20141016/12812da0/attachment.sig>
More information about the calendarserver-users
mailing list