Re: tls plugin and SSL version

Mon, 26 Jul 2010 08:46:40 -0700 

On Jul 26, 2010, at 6:00 AM, Charlie Brady 
<charlieb-qpsm...@budge.apana.org.au> wrote:

> On Sun, 25 Jul 2010, Matt Simerson wrote:
> 
>> Here's a chunk of code from one of my projects:
>> 
>> A config file setting allows an admin to choose from; all, high, medium, or 
>> pci. 
>> 
>> my $s = $ciphers eq 'all'    ? 'ALL'
>>        : $ciphers eq 'high'   ? 'HIGH:!SSLv2'
>>        : $ciphers eq 'medium' ? 'HIGH:MEDIUM:!SSLv2'
>>        : $ciphers eq 'pci'    ? 'DEFAULT:!ADH:!LOW:!EXP:!SSLv2:+HIGH:+MEDIUM'
>>        :                        'DEFAULT';
>> 
>> Then you set SSL_cipher_list in the call to 
>> IO::Socket::SSL::SSL_Context->new. 
> 
> Please note that SSL_version is distinct from cipher list, and is not 
> settable in the current code.

Sure, but what types of SSL connections are allowed when we exclude the 
insecure SSLv2 ciphers? 

Mine is also a simple untested patch, but I'm reasonably confident it will do 
exactly what is desired. By changing a config file rather than code, my 
solution is less likely to cause future problems.

Your solution will require further code changes when TLSv1 is insecure and 
TLSv2 is desirable instead.

If you still wish to set SSL_version explicitly, make it a config file option 
and set the default value to 'SSLv3' instead, which includes TLSv1. That 
effectively does what you said cannot be done (disable only SSLv2).

I'm confident such a patch would be welcomed and committed.

Matt

>> 
>> 
>> On Jul 22, 2010, at 7:29 PM, Charlie Brady wrote:
>> 
>>> 
>>> Here's a simple, and untested, patch - someone might care to do something 
>>> 
>>> 
>>> more elaborate to allow choice of TLSv1 or SSLv3 (unfortunately 
>>> IO::Socket::SSL doesn't seem to allow disable of just SSLv2).
>>> 
>>> --- qpsmtpd-0.83/plugins/tls.orig    2010-07-22 22:04:00.000000000 -0400
>>> +++ qpsmtpd-0.83/plugins/tls    2010-07-22 22:09:35.000000000 -0400
>>> @@ -80,6 +80,7 @@
>>>    local $^W; # this bit is very noisy...
>>>    my $ssl_ctx = IO::Socket::SSL::SSL_Context->new(
>>>        SSL_use_cert => 1,
>>> +        SSL_version => 'TLSv1',
>>>        SSL_cert_file => $self->tls_cert,
>>>        SSL_key_file => $self->tls_key,
>>>        SSL_ca_file => $self->tls_ca,
>>> @@ -176,6 +177,7 @@
>>>        my $tlssocket = IO::Socket::SSL->new_from_fd(
>>>            fileno(STDIN), '+>',
>>>            SSL_use_cert => 1,
>>> +            SSL_version => 'TLSv1',
>>>            SSL_cert_file => $self->tls_cert,
>>>            SSL_key_file => $self->tls_key,
>>>            SSL_ca_file => $self->tls_ca,
>>> 
>> 
>>

Reply via email to