Re: tls plugin and SSL version

Mon, 26 Jul 2010 15:32:25 -0700 

On Mon, 26 Jul 2010, Matt Simerson wrote:

> > Please note that SSL_version is distinct from cipher list, and is not 
> > settable in the current code.
> 
> Sure, but what types of SSL connections are allowed when we exclude the 
> insecure SSLv2 ciphers?

Good point.

> Mine is also a simple untested patch, but I'm reasonably confident it 
> will do exactly what is desired. By changing a config file rather than 
> code, my solution is less likely to cause future problems.

OK, but you are proposing adding code aren't you, to add the 
all/high/medium/pci aliases?

> Your solution will require further code changes when TLSv1 is insecure 
> and TLSv2 is desirable instead.

OK.

> If you still wish to set SSL_version explicitly, make it a config file 
> option and set the default value to 'SSLv3' instead, which includes 
> TLSv1. That effectively does what you said cannot be done (disable only 
> SSLv2).

I didn't realise the SSLv3 includes TLSv1. Did I miss that in the pod? Or 
is it just implicit in that TLSv1 is SSLv3.1, and SSLv3 means SSLv3.x?

> I'm confident such a patch would be welcomed and committed.

I think you've convinced me that it is not required. Do you think it would 
be useful?

> 
> Matt
> 
> >> 
> >> 
> >> On Jul 22, 2010, at 7:29 PM, Charlie Brady wrote:
> >> 
> >>> 
> >>> Here's a simple, and untested, patch - someone might care to do something 
> >>> 
> >>> 
> >>> more elaborate to allow choice of TLSv1 or SSLv3 (unfortunately 
> >>> IO::Socket::SSL doesn't seem to allow disable of just SSLv2).
> >>> 
> >>> --- qpsmtpd-0.83/plugins/tls.orig    2010-07-22 22:04:00.000000000 -0400
> >>> +++ qpsmtpd-0.83/plugins/tls    2010-07-22 22:09:35.000000000 -0400
> >>> @@ -80,6 +80,7 @@
> >>>    local $^W; # this bit is very noisy...
> >>>    my $ssl_ctx = IO::Socket::SSL::SSL_Context->new(
> >>>        SSL_use_cert => 1,
> >>> +        SSL_version => 'TLSv1',
> >>>        SSL_cert_file => $self->tls_cert,
> >>>        SSL_key_file => $self->tls_key,
> >>>        SSL_ca_file => $self->tls_ca,
> >>> @@ -176,6 +177,7 @@
> >>>        my $tlssocket = IO::Socket::SSL->new_from_fd(
> >>>            fileno(STDIN), '+>',
> >>>            SSL_use_cert => 1,
> >>> +            SSL_version => 'TLSv1',
> >>>            SSL_cert_file => $self->tls_cert,
> >>>            SSL_key_file => $self->tls_key,
> >>>            SSL_ca_file => $self->tls_ca,
> >>> 
> >> 
> >> 
>

Reply via email to