Hi Ralf and Kalle,

@Ralf: Thanks for raising this issue!

@Kalle: Thanks for the detailed analysis!

Kalle wrote:
> If you want to prevent Kannel from using SSLv2 and SSLv3, I guess 
> Kannel could be changed to call SSL_CTX_set_options or SSL_set_options 
> with SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 options.  It would perhaps be 
> easiest to do that to global_ssl_context and global_server_ssl_context 
> so that the options apply to all SSL objects.  Is there any scenario 
> in which one would want to support SSLv3 on some connections but not 
> on all?

Assuming your analysis is correct, it seems to me that best way forward 
would be to suggest upstream to have a configuration option to pass 
flags to OpenSSL.  Would either of you do that?


Regards,

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: signature

Reply via email to