[Gluster-devel] Logjam
Emmanuel Dreyfus
manu at netbsd.org
Wed May 27 04:30:31 UTC 2015
Jeff Darcy <jdarcy at redhat.com> wrote:
> As I'm sure you know, security often involves multiple layers. At the
> time, the OpenSSL method table we used was still one that would allow
> fallback to SSLv3.
You refer to using ssl23_client_method()? That function's name is really
bad because it is the only one that allows negociation of the highest
protocol available, as opposed to TLSv1_client_method() which is not
able to use TLSv1.2, for instance.
Hence ssl23_client_method() is indeed the way to go, and you are right
it also allows downgrading down to SSLv2 or SSLv3, which is brings
POODLE vulnerability.
But SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 options for
SSL_CTX_set_options() are there to make sure it does cannot happen. At
least this is how it is fixed in all software I have been looking at.
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu at netbsd.org
More information about the Gluster-devel
mailing list