Re: SSL version default

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 24 Jan 2011 21:48:08 +0000

On Mon, 24 Jan 2011 22:12:49 +0100, Henrik Nordström
<henrik_at_henriknordstrom.net> wrote:
> mån 2011-01-24 klockan 20:54 +0100 skrev Henrik Nordström:
>> mån 2011-01-24 klockan 17:28 +0100 skrev Ralf Hildebrandt:
>>
>> > > Making SSLv3-only or TLSv1-only the default from Squid-3.2
onwards.

Oops, the "-only" bits should not be in the above description. Sorry.

>> >
>> > Yes please
>>
>> Please note that this change will only impact some specific
>> configurations and not normal proxying:
>>
>> * sslbump
>> * cache_peer using ssl option. Mostly (only?) used in reverse
>> proxy setups.
>> * URL rewrites (not redirects) from http to https. Not sure
anyone
>> uses this.
>> * http->https gatewaying for clients not natively supporting
>> https. This mode is pretty much obsolete by now, when even the
>> simplest clients supports https today.
>>
>> In normal proxying it's the browsers SSL policy that defines which SSL
>> protocol version it will use in it's initial SSL handshake message.
>
>
> Additionally it seems openssl have already increased the level
> internally. In default options (0) clients uses TLSv1 which is rejected
> by SSLv2 servers due to protocol incompatibility (TLSv1 and SSLv3 are
> compatible, differing in negotiated parameters).

That seemed to be my impression of the SSLv23_method(). Earlier patches in
my archive from 2009 were removing the call entirely.

With this proposed patch it just cuts SSLv2 out of the available default
options. Allowing any SSLv2 incompatible logic to be used by OpenSSL if
needed to make TLSv1 accessible. I'm happy to add it explicitly if we need.

As before admin can set an explicit list of options including SSLv2
instead of the default.

Amos
Received on Mon Jan 24 2011 - 21:48:18 MST

This archive was generated by hypermail 2.2.0 : Tue Jan 25 2011 - 12:00:05 MST