subject:"Bug#804607\: lua\-sec\: SSLv3 method"

Bug#804607: lua-sec: SSLv3 method

2015-11-16 Thread Enrico Tassi

On Sat, Nov 14, 2015 at 02:16:53PM +0100, Kurt Roeckx wrote:
> A few use tlsv1 which isn't much better.

Thanks for your help, I'm preparing an upload.

Can you argument why tlsv1 is not good?

See also: https://github.com/brunoos/luasec/issues/58

Best,
-- 
Enrico Tassi

Bug#804607: lua-sec: SSLv3 method

2015-11-14 Thread Kurt Roeckx

Looking at the code it has:
static LSEC_SSL_METHOD* str2method(const char *method)
{
  if (!strcmp(method, "sslv23"))  return SSLv23_method();
  if (!strcmp(method, "sslv3"))   return SSLv3_method();
  if (!strcmp(method, "tlsv1"))   return TLSv1_method();
#if (OPENSSL_VERSION_NUMBER >= 0x1000100fL)
  if (!strcmp(method, "tlsv1_1")) return TLSv1_1_method();
  if (!strcmp(method, "tlsv1_2")) return TLSv1_2_method();
#endif
  return NULL;
}

And almost all the samples seems to be doing:
./samples/info/client.lua:   protocol = "sslv3",
./samples/info/client.lua:   options = {"all", "no_sslv2"},

A few use tlsv1 which isn't much better.

This is all completly wrong.

The only method supporting multiple versions in SSLv23_*.  All the
other are version specific and the no_sslv2 / SSL_OP_NO_SSLv2
doesn't have any effect on them.

I suggest you always use SSLv23_method().  Maybe you should get
rid of the protocol thing, or just don't let it have any effect.


Kurt

Bug#804607: lua-sec: SSLv3 method

Bug#804607: lua-sec: SSLv3 method

2 matches

Site Navigation

Mail list logo

Footer information