On 01.11.2014 14:46, Yann Ylavic wrote:
There is still that a client handshaking with a SSLv2Hello (by using
SSLv23_client_method()) is likely to accept SSLv[23] protocols (unless
using SSL_OP_NO_SSLv[23] explicitly like today's mod_ssl, but it's
probably not the case for legacy clients), so
On 29.10.2014 16:42, Yann Ylavic wrote:
On Wed, Oct 29, 2014 at 2:52 PM, Mikhail T. mi+t...@aldan.algebra.com wrote:
That would solve our problem, though some may wonder about the subtle
differences between any and all :-) More seriously, it would also make
the config-files incompatible with
On Sat, Nov 1, 2014 at 8:15 AM, Kaspar Brand httpd-dev.2...@velox.ch wrote:
On 29.10.2014 16:42, Yann Ylavic wrote:
On Wed, Oct 29, 2014 at 2:52 PM, Mikhail T. mi+t...@aldan.algebra.com
wrote:
That would solve our problem, though some may wonder about the subtle
differences between any and
On 01.11.2014 11:23, Yann Ylavic wrote:
How about SSLv2Hello keyword (à la JDK), should we agree on a real
issue caused by ALL -SSLv3 (see below)?
This keyword wouldn't fit into the current set of options, so I'm not in
favor of it (the SSL2 compatible hello is like a flag which is
orthogonal
On Sat, Nov 1, 2014 at 1:04 PM, Kaspar Brand httpd-dev.2...@velox.ch wrote:
On 01.11.2014 11:23, Yann Ylavic wrote:
The real questions IMO is:
Is SSLv2Hello replied with TLSv1.x server hello really safe against
MITM/poodle/other attacks?
Well, no one can answer this question with yes as long
On Wed, Oct 29, 2014 at 4:16 AM, Yann Ylavic ylavic@gmail.com wrote:
Actually I tested the above with my earlier patch (slightly modified
to initialize ANY with SSL_PROTOCOL_ALL|SSL_PROTOCOL_ANY instead of
SSL_PROTOCOL_ANY alone) and it seems to work.
With OpenSSL 0.9.8o (debian squeeze)
On Tue, Oct 28, 2014 at 9:24 PM, Eric Covener cove...@gmail.com wrote:
On Tue, Oct 28, 2014 at 9:15 PM, Eric Covener cove...@gmail.com wrote:
There is an older/pre-poodle PR out there somewhere where the symptom
seems to be the v2hello/v2open disappearing with -SSLv3.
I can't find it
On 29.10.2014 04:37, Yann Ylavic wrote:
Forgot to mention the OP reproducer, that is with SSLProtocol ALL
-SSLv3 (with or without the patch), both SSLv2Hello and SSLv3Hello
(version SSLv3) are refused by httpd.
But if ALL is replaced with ANY, then the (patched) server will be
willing to advise
On Wed, Oct 29, 2014 at 2:52 PM, Mikhail T. mi+t...@aldan.algebra.com wrote:
On 29.10.2014 04:37, Yann Ylavic wrote:
Forgot to mention the OP reproducer, that is with SSLProtocol ALL
-SSLv3 (with or without the patch), both SSLv2Hello and SSLv3Hello
(version SSLv3) are refused by httpd.
But
Hello!
After disabling SSLv3:
SSLOptions ALL -SSLv3
we noticed, that curl itself and libcurl-using programs (such as git) stopped
working on some of the (older) systems -- such as RHEL5 -- when invoked against
the https-URLs pointing at the reconfigured servers.
Invoking curl with the -1
On Tue, Oct 28, 2014 at 6:58 PM, Mikhail T. mi+t...@aldan.algebra.com
wrote:
Hello!
After disabling SSLv3:
SSLOptions ALL -SSLv3
we noticed, that curl itself and libcurl-using programs (such as git)
stopped working on some of the (older) systems -- such as RHEL5 -- when
invoked against
On Tue, Oct 28, 2014 at 9:15 PM, Eric Covener cove...@gmail.com wrote:
There is an older/pre-poodle PR out there somewhere where the symptom
seems to be the v2hello/v2open disappearing with -SSLv3.
I can't find it though -- Jeff?
On Wed, Oct 29, 2014 at 2:15 AM, Eric Covener cove...@gmail.com wrote:
They had a year-old httpd2.4 from EPEL / RH software collections but it's
built against an old openssl, so it isn't aware of tls1.1 and tls1.2 and
that same block of code ends up locking you into exactly TLSv1.0 once you
On Tue, Oct 28, 2014 at 9:43 PM, Yann Ylavic ylavic@gmail.com wrote:
Kaspar, does the v2open require sslv2method? What do you think of the
patch
above?
I don't think so, SSLv23 seams to use the lowest non-disabled method,
and we explicitely disable the ones not configured. So it
On Wed, Oct 29, 2014 at 2:43 AM, Yann Ylavic ylavic@gmail.com wrote:
Maybe we should introduce another protocol keywork, namely ANY, which
would opt-in SSLv23 (SSLv2Hello), and not disable single protocol
configuration in any case like in the patch proposed by Mikhail.
So that SSLProtocol
On Wed, Oct 29, 2014 at 3:01 AM, Yann Ylavic ylavic@gmail.com wrote:
On Wed, Oct 29, 2014 at 2:43 AM, Yann Ylavic ylavic@gmail.com wrote:
Maybe we should introduce another protocol keywork, namely ANY, which
would opt-in SSLv23 (SSLv2Hello), and not disable single protocol
16 matches
Mail list logo