Discussion:
[PATCH] gweb: Enable TLSv1.2 and TLSv1.1
p***@jolla.com
2014-10-18 21:33:50 UTC
Permalink
From: Pasi Sjöholm <***@jollamobile.com>

As the web servers are migrating away from SSLv3 more secure
protocols need to be enabled.

Thanks for Hannu Mallat noticing this.
---
gweb/giognutls.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/gweb/giognutls.c b/gweb/giognutls.c
index 09dc9e7..687bf8f 100644
--- a/gweb/giognutls.c
+++ b/gweb/giognutls.c
@@ -456,7 +456,8 @@ GIOChannel *g_io_channel_gnutls_new(int fd)
"NORMAL:%COMPAT", NULL);
#else
gnutls_priority_set_direct(gnutls_channel->session,
- "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT", NULL);
+ "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-TLS1.1:" \
+ "+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT", NULL);
#endif

gnutls_certificate_allocate_credentials(&gnutls_channel->cred);
--
1.9.1
Jukka Rissanen
2014-10-20 08:21:48 UTC
Permalink
Hi Pasi,

On su, 2014-10-19 at 00:33 +0300, ***@jolla.com wrote:
> From: Pasi Sjöholm <***@jollamobile.com>
>
> As the web servers are migrating away from SSLv3 more secure
> protocols need to be enabled.

I just wonder should we just disable sslv3 support all together?

>
> Thanks for Hannu Mallat noticing this.
> ---
> gweb/giognutls.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/gweb/giognutls.c b/gweb/giognutls.c
> index 09dc9e7..687bf8f 100644
> --- a/gweb/giognutls.c
> +++ b/gweb/giognutls.c
> @@ -456,7 +456,8 @@ GIOChannel *g_io_channel_gnutls_new(int fd)
> "NORMAL:%COMPAT", NULL);
> #else
> gnutls_priority_set_direct(gnutls_channel->session,
> - "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT", NULL);
> + "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-TLS1.1:" \
> + "+VERS-TLS1.0:+VERS-SSL3.0:%COMPAT", NULL);
> #endif
>
> gnutls_certificate_allocate_credentials(&gnutls_channel->cred);


Cheers,
Jukka
Pasi Sjöholm
2014-10-20 08:49:56 UTC
Permalink
Hi Jukka,

>> As the web servers are migrating away from SSLv3 more secure
>> protocols need to be enabled.
> I just wonder should we just disable sslv3 support all together?

I thought about it but was bit afraid there are still systems which only support sslv3 (even it is broken++). On the other hand mozilla and google are dropping sslv3 from their browsers within next 3 months, so I guess it wouldn't hurt so much in the end.

I can do v2 of that patch which would remove sslv3-support if you want.

Br,
Pasi
Marcel Holtmann
2014-10-20 09:37:23 UTC
Permalink
Hi Pasi,

>>> As the web servers are migrating away from SSLv3 more secure
>>> protocols need to be enabled.
>> I just wonder should we just disable sslv3 support all together?
>
> I thought about it but was bit afraid there are still systems which only support sslv3 (even it is broken++). On the other hand mozilla and google are dropping sslv3 from their browsers within next 3 months, so I guess it wouldn't hurt so much in the end.
>
> I can do v2 of that patch which would remove sslv3-support if you want.

default SSLv3 off is a good idea, but we might want to have a main.conf option that allows integrators to choose the insecure SSLv3 as valid option.

Regards

Marcel
Loading...