[CalendarServer-users] Protect against new SSL vuln

Glyph glyph at twistedmatrix.com
Fri Oct 17 02:10:02 PDT 2014

> On Oct 16, 2014, at 7:26 PM, Jacques Distler <distler at golem.ph.utexas.edu> wrote:
> I was confused by this, too. According to
>    https://www.openssl.org/docs/ssl/SSL_CTX_new.html <https://www.openssl.org/docs/ssl/SSL_CTX_new.html>
> SSLv23_method is a catch-all, allowing connections using SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. You can then exclude particular protocols using, e.g.,
>    SSL_OP_NO_TLSv1_1
> to exclude TLSv1.1 (while still allowing the others).
> By contrast, TLSv1_method (or SSLv3_method) allows only connections using that particular protocol (respectively TLSv1 and SSLv3).
> That may be OK. All (or almost all) clients speak TLSv1. But it would be preferable to allow them to negotiate a TLSv1.2 connection if possible.

For what it's worth, this is the highly bizarre way that OpenSSL requires you to specify your protocol version requirements.  In TLS itself, there's no such thing as a "method", just a protocol version.  You're absolutely right that SSLv23_METHOD has nothing to do with SSLv2 or SSLv3 and just means "negotiate a protocol version out of an allowable set".

In a future version of Twisted there will be the ability to specify minimum protocol version and excluded protocol version arguments, and SSLv23_METHOD should hopefully fade away and disappear into an internal implementation detail somewhere inside Twisted's TLS layer...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-users/attachments/20141017/ca54f9df/attachment.html>

More information about the calendarserver-users mailing list