Hi Cyril Thanks for your reply!
(adding debian-perl list to the recipients, to have more comments if
needed)
On Fri, Jun 01, 2012 at 11:07:44AM +0200, Cyril Brulebois wrote:
> Salvatore Bonaccorso <car...@debian.org> (01/06/2012):
> > It was reported [1], that libnet-ssleay-perl does not report the
> > correct constant value for SSL_OP_NO_TLSv1_1. There was the following
> > change in openssl 1.0.1b-1:
> >
> > openssl (1.0.1b-1) unstable; urgency=high
> > .
> > * New upstream version
> > - Remaps SSL_OP_NO_TLSv1_1, so applications linked to 1.0.0
> > can talk to servers supporting TLS 1.1 but not TLS 1.2
> > - Drop rc4_hmac_md5.patch, applied upstream
>
> Does it mean we're going to hit the same kind of issues next time
> there's a similar change in openssl?
Yes I think so if openssl would have again such a change, we will have
similar issue again. If openssl changes constant values as for 1.0.1b,
then libnet-ssleay-perl would need a rebuild against this updated
openssl version.
However ...
In changes of openssl I read this:
----cut---------cut---------cut---------cut---------cut---------cut-----
*) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and
1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately
mean any application compiled against OpenSSL 1.0.0 headers setting
SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng
TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to
0x10000000L Any application which was previously compiled against
OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1
will need to be recompiled as a result. Letting be results in
inability to disable specifically TLS 1.1 and in client context,
in unlike event, limit maximum offered version to TLS 1.0 [see below].
[Steve Henson]
*) In order to ensure interoperabilty SSL_OP_NO_protocolX does not
disable just protocol X, but all protocols above X *if* there are
protocols *below* X still enabled. In more practical terms it means
that if application wants to disable TLS1.0 in favor of TLS1.1 and
above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass
SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to
client side.
[Andy Polyakov]
----cut---------cut---------cut---------cut---------cut---------cut-----
So this might not affect only libnet-ssleay-perl? At least if one uses
SSL_OP_NO_TLSv1_1.
Regards,
Salvatore
signature.asc
Description: Digital signature
