Feature #2246

[patch] ssl.use-sslv3

Added by ChiefBromden almost 4 years ago. Updated 10 months ago.

Status:FixedStart date:2010-08-11
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:-
Target version:1.4.29
Missing in 1.5.x:No

Description

Hi all,

I have recently "hardened" my SSL installation (fixing renegotiation, manually editing ciphersuites etc.) in an attempt to do at least as well as https://www.ssllabs.com/ssldb/analyze.html?d=cert.startcom.org

Long story short: It seems wise already now, but definitely for the future, to be able to turn off SSLv3 as well, and stick only with TLS, as SSLv3 also has weaknesses, and all current browsers support TLS 1.0 anyway.

I'm attaching a simple patch that allows to do precisely this. It's acting exactly like the ssl.use-sslv2 configuration, but for SSLv3 (and having the default as "enabled"). I verified this to work with the latest SVN revision of 1.4 (1.4.27-devel-2758M), but having looked at 1.5 source code it's straightforward to "port" it there as well.

If you think it's useful... well, just throw it in :-)

sslv3-switch.patch Magnifier (3.13 KB) ChiefBromden, 2010-08-11 19:58

Associated revisions

Revision 2780
Added by stbuehler over 3 years ago

ssl: Support for Diffie-Hellman and Elliptic-Curve Diffie-Hellman key exchange (fixes #2301, #2246, #2239)

- add ssl.use-sslv3
- load all algorithms

History

#1 Updated by ChiefBromden almost 4 years ago

  • Target version set to 1.4.27

#2 Updated by stbuehler almost 4 years ago

  • Target version changed from 1.4.27 to 1.4.28

#3 Updated by stbuehler almost 4 years ago

  • Target version changed from 1.4.28 to 1.4.29

#4 Updated by stbuehler over 3 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2780.

#5 Updated by brad@comstyle.com over 3 years ago

With this patch applied and disabling SSLv3 I cannot get any
browser to connect. The error log shows messages such as the
following..

2011-03-16 22:36:24: (connections.c.299) SSL: 1 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2011-03-16 22:36:49: (connections.c.299) SSL: 1 error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number

#6 Updated by stbuehler over 3 years ago

One reason is that not all browsers support tls, the other is that tls does not work with openssl 1.0.0 right now, see #2269.

#7 Updated by brad@comstyle.com over 3 years ago

This works fine now that the fixes went in regarding ticket 2269.

#8 Updated by iXce 10 months ago

Hm, would it be possible to forward port this (and the other nice SSL patches, such as the one for use-compression) to trunk ?
Sorry if posting here is not the proper way to request this, but there's a nice "Missing in 1.5" field in the bug properties which is asking to be set to "Yes" :)

#9 Updated by stbuehler 10 months ago

1.5 isn't maintained anymore.

Also available in: Atom