crypto policies for F21 without SSL 3.0?
Nikos Mavrogiannopoulos
nmav at redhat.com
Thu Nov 20 08:54:23 UTC 2014
On Wed, 2014-11-19 at 11:19 -0500, Eric H. Christensen wrote:
> On Wed, Nov 19, 2014 at 03:58:36PM +0100, Nikos Mavrogiannopoulos wrote:
> > Hello,
> > Eric Christensen proposed removing SSL 3.0 from the DEFAULT crypto
> > policy in F21, due to the POODLE attack. I experimented a bit, and
> > noticed (again) that openssl cannot set the supported versions via a
> > cipher string, and since NSS is still work in progress, it would
> > actually mean that this setting would only apply to gnutls. Also Tomas
> > Mraz noticed quite few mail clients that still use SSL 3.0 only, meaning
> > SSL 3.0 is not completely dead yet and may cause compatibility issues
> > for Fedora servers that use these strings.
>
> You can't disable SSLv3 in OpenSSL why? AFAIK that functionality has been available for a while.
The only disable SSL 3.0 in openssl is via the SSL_OP_NO_SSLv3 flag
which cannot be set via a cipher string, and that is the only factor
crypto-policies can control.
A way to fix that is by adding a new cipher string for that. If no-one
adds that, we plan to propose such a patch once our patches for custom
cipher strings are accepted.
regards,
Nikos
[0]. https://github.com/openssl/openssl/pull/192
https://github.com/openssl/openssl/pull/193
More information about the security
mailing list