On 23/11/13 1:11 AM, Emmanuel Dreyfus wrote: > Emmanuel Dreyfus <m...@netbsd.org> wrote: > >> This short patch adds a few improvement to imapproxy SSL client >> - TLSv1.2 support if OpenSSL supports it > > I realize that part is broken for the general case: > TLSv1_2_client_method() only negociate TLSv1.2 and will fail if server > does not support it. > > The right way seems to use SSLv23_client_method(), which negociate the > highest available version, which includes TLSv1.2, despite what the > method name suggest. That page makes it clear (even if it does not talk > about 1.2): http://www.openssl.org/docs/ssl/SSL_CTX_new.html > > II will post a new patch that uses SSLv23_client_method(). TLS version > can still be controlled by SSL_CTX_set_options() with > SSL_OP_NO_(SSLv2|SSLv3|TLSv1|TLSv1_1|TLSv1_2). Do we want an option to > control the protocol version, or just picking the best is just good > enough?
Personally I'd like to see an option to be able to control which versions are enabled. > If we do not provide an option, I think we want to disable SSLv2, which > is well known to be insecure, and SSLv3, which was not supported by > imapproxy before. Feedback is welcome. If the OpenSSL being built against supports SSLv2 (Debian / Ubuntu / OpenBSD's OpenSSL does not support SSLv2) then it should be disabled period. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------------ Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk ----- squirrelmail-imapproxy mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-imapproxy@lists.sourceforge.net List archives: http://news.gmane.org/gmane.mail.squirrelmail.imapproxy List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-imapproxy
