Mailinglist Archive: opensuse-buildservice (327 mails)
| < Previous | Next > |
Re: [opensuse-buildservice] [PATCH] osc: Use tlsv1 instead of SSLv23
- From: Ludwig Nussel <ludwig.nussel@xxxxxxx>
- Date: Tue, 19 Apr 2011 17:26:43 +0200
- Message-id: <201104191726.43757.ludwig.nussel@suse.de>
Cristian Rodríguez wrote:
That has an unexpected side effect. Selecting TLS 1.0 explictly will
make openssl only accept that and nothing else. Ie would reject TLS
1.1 or any other newer version. Contrary to what the name suggests
SSLv23_client_method does support TLS, any version. It automatically
accepts the best version available. So to force TLS only use
SSLv23_client_method() and disable SSLv2 and SSLv3 :-)
That's exactly what the proposed apache config
SSLProtocol all -SSLv2 -SSLv3
internally does too.
cu
Ludwig
--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx
- SSL.Context.__init__(self, 'sslv23')
+ SSL.Context.__init__(self, 'tlsv1')
That has an unexpected side effect. Selecting TLS 1.0 explictly will
make openssl only accept that and nothing else. Ie would reject TLS
1.1 or any other newer version. Contrary to what the name suggests
SSLv23_client_method does support TLS, any version. It automatically
accepts the best version available. So to force TLS only use
SSLv23_client_method() and disable SSLv2 and SSLv3 :-)
That's exactly what the proposed apache config
SSLProtocol all -SSLv2 -SSLv3
internally does too.
cu
Ludwig
--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx
| < Previous | Next > |