Did anyone have time to review these patches? On Sun, 27 Sep 2015 23:17:18 +0200 Wolfgang Wiedmeyer <[email protected]> wrote:
> My Self provided in the following post an overview of the different ssl/tls > issues with different android browsers: > https://redmine.replicant.us/boards/39/topics/8007?r=9081#message-9081 > You can do the test from ssllabs yourself here: > https://www.ssllabs.com/ssltest/viewMyClient.html > For the stock android browser the following problems get reported: > - no support for TLS version > 1.0 > - affected by logjam and freak vulnerability > - vulnerable to poodle attack or more general: SSL version 3 is not > disabled > - weak RC4 ciphers are enabled > - no OCSP stapling > > Except for OCSP stapling I was able fix all issues so that the test for them > passes. The patches for disabling SSLv3, enabling TLSv1.1 and > TLSv1.2 and removal of weak RC4 ciphers was completely written by myself, so > please review these patches carefully! I cannot guarantee that the > implementation is complete or without bugs, nor am I a security expert > or familiar with the code base. I just sat down and tried to fix these > issues. > Replicant has openssl version 1.0.1c and it is not easy to find working > patches for recent vulnerabilities for such an old version. I was able > to use patches for Ubuntu 12.04 LTS, as it has openssl 1.0.1 (slightly > older). These patches only needed very little modifications and solved > the logjam and freak vulns. There are a lot more security related > patches in the Ubuntu package, so these could also be included in > replicant. > If there are any trustworthy testing tools for webview vulnerabilities, > I could also try to make fixes for these. I couldn't find any so far. _______________________________________________ Replicant mailing list [email protected] http://lists.osuosl.org/mailman/listinfo/replicant
