On 19.11.2018 10:11, Pedro Lino wrote: > Hi Brane, all > >> On November 19, 2018 at 12:52 AM Branko Čibej <br...@apache.org> wrote: >>> Does the Apache web server still support TLS version 1.0? The old >>> version of OpenSSL that we bundle with the Windows and Linux versions >>> doesn't support anything newer than that. >> >> It looks like you found the real problem: >> >> $ curl -sviI --tlsv1.0 https://ooo-updates.apache.org/ >> * Trying 40.79.78.1... >> ... >> * TLSv1.0 (OUT), TLS handshake, Client hello (1): >> * TLSv1.0 (IN), TLS alert, Server hello (2): >> * error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert protocol >> version >> >> >> Connection fails with options --tlsv1.0 and --tlsv1.1 but succeeds with >> --tlsv1.2. Which is in fact a good thing; TLSv1 and TLSv1.1 both have >> known security bugs. > This means that on the Server side connection with the current version of > Openoffice will not be accepted? > Can this change be reversed or an exception opened for AOO?
This is a server-side configuration, I suppose an exception could be added ... but this is for Infra to decide. > Otherwise, how are users going to be notified that any future version is > available? It's actually a bit worse than users not being notified. If you bundle your own SSL library you must have a process in place to track security fixes in said library. I suspect OpenSSL is not the only issue; for example, AOO still uses Serf 1.2.1, which does not support the latest OpenSSL, so you're effectively stuck with 1.02 and can't migrate to 1.1.0 unless you also upgrade Serf. -- Brane --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@openoffice.apache.org For additional commands, e-mail: dev-h...@openoffice.apache.org
