On 09/10/2015 11:09 PM, Amos Jeffries wrote:
On 11/09/2015 4:50 a.m., Tsantilas Christos wrote:
On 09/10/2015 04:07 PM, Stuart Henderson wrote:
LibreSSL has removed SSLv3, and it can be disabled optionally in OpenSSL
by building with no_ssl3. The patch below allows building against such a
I suppose that LibreSSL wants to forces as to use the TLS isntead of
sslv3, so maybe it is better to try use the TLS_method() instead of
SSLv23_method.
Also, with a very quick view looks that the libreSSL TLS_method() is
equivalent to openSSL TLSv1_2_method() method...
Yes, maybe and no :
Yes - LibreSSL is following the SSLv2/SSLv3 deprecation RFCs very
closely. Upcoming OpenSSL versions will be too, eventually. So those
using the very latest libraries get the very latest up-to-date
specification requirements applied.
The SSLv2 removed from OpenSSL git repository too...
Maybe - If I'm reading the OpenSSL docs right the SSLv3_method was
producing a fixed specific method to negotiate SSLv3-only protocol. The
TLS_method is negotiating any TLS version. I think use of SSLv3_method
was a bug to begin with and TLS_method()/SSLv23_method() would be
correct now.
The SSLv23_method, if the SSLv2 is disabled from options, will sent a
full SSLv3/TLS message without SSLv2 backward compatibility.
Looks that using the TLS_method/SSLv23_method is the correct.
[ IMO we should rename parseV23Hello to parseV2Hello to clarify that it
parses a v2 syntax hello. Avoid confusing with SSL*_method() vs
TLS_method() relevance. ]
This is not exactly correct.
The parseV23Hello actually parses an SSLv3 Hello message which is
encapsulated to an SSLv2 compatible header.
Unfortunately there are clients which still using it.
No - TLS_method() is *not* equivalent to TLSv1_2_method(). It is
equivalent to SSLv23_method() / SSLv23_server_method(). All of those may
or may not produce TLSv1_2_method() as their output depending on the
config settings.
This is true. TLS_method is something like "support up to TLSv1.2".
Assuming the patch is correct in swapping SSLv23_method(). Then it
should actually be swapping to TLS_method() with back-compat #if
wrappers using SSLv23_method(). As seen with uses of the
SSLv23_*_method() functions.
Yes.
[ I see the parseV23Hello() is using SSLv23_method() bare. That is a bug
waiting to happen when OpenSSL v1.2-1.3 hits us. Which should also be
fixed in this patch scope. ]
True.
The SSLv23_method() is used to parse an SSLv3/TLS hello message, which
is encapsulated in an SSLv2 compatible SSL header.
We need to replace this method.
With a very quick view the only use of this method is to get the size of
each cipher in HELLO message. I suppose it can be hardcoded.
I hope we have some time before the SSLv23_method full removed from
openSSL and forked libraries.
Amos
_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev
_______________________________________________
squid-dev mailing list
[email protected]
http://lists.squid-cache.org/listinfo/squid-dev
