[opensuse-buildservice] [PATCH] osc: Use tlsv1 instead of SSLv23
From: Cristian Rodríguez <cristian.rodriguez@opensuse.org> Signed-off-by: Cristian Rodríguez <cristian.rodriguez@opensuse.org> --- osc/oscssl.py | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/osc/oscssl.py b/osc/oscssl.py index e053838..36b8055 100644 --- a/osc/oscssl.py +++ b/osc/oscssl.py @@ -153,7 +153,7 @@ class ValidationErrors: class mySSLContext(SSL.Context): def __init__(self): - SSL.Context.__init__(self, 'sslv23') + SSL.Context.__init__(self, 'tlsv1') self.set_options(m2.SSL_OP_ALL | m2.SSL_OP_NO_SSLv2) # m2crypto does this for us but better safe than sorry self.set_session_cache_mode(m2.SSL_SESS_CACHE_CLIENT) self.verrs = None -- 1.7.4.1 -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Cristian Rodríguez wrote:
- SSL.Context.__init__(self, 'sslv23') + SSL.Context.__init__(self, 'tlsv1')
That has an unexpected side effect. Selecting TLS 1.0 explictly will make openssl only accept that and nothing else. Ie would reject TLS 1.1 or any other newer version. Contrary to what the name suggests SSLv23_client_method does support TLS, any version. It automatically accepts the best version available. So to force TLS only use SSLv23_client_method() and disable SSLv2 and SSLv3 :-) That's exactly what the proposed apache config SSLProtocol all -SSLv2 -SSLv3 internally does too. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Am Dienstag, 19. April 2011, 17:26:43 schrieb Ludwig Nussel:
Cristian Rodríguez wrote:
- SSL.Context.__init__(self, 'sslv23') + SSL.Context.__init__(self, 'tlsv1')
That has an unexpected side effect. Selecting TLS 1.0 explictly will make openssl only accept that and nothing else. Ie would reject TLS 1.1 or any other newer version. Contrary to what the name suggests SSLv23_client_method does support TLS, any version. It automatically accepts the best version available. So to force TLS only use SSLv23_client_method() and disable SSLv2 and SSLv3 :-) That's exactly what the proposed apache config SSLProtocol all -SSLv2 -SSLv3 internally does too.
Good, a quick test showed an unpatched osc to use tls already. So no need to patch osc. Best, Jan-Simon -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
participants (3)
-
Cristian Rodríguez -
Jan-Simon Möller -
Ludwig Nussel