![]() ![]() Online tests are fine and you can use them to make decisions about your configuration, but you should make conscious decision based on what are you trying to achieve. There is no "golden" configuration for TLS (in XMPP or not). It seems that you already made all of those, so you should be fine. Supporting them is also not a vulnerability as such, clients that support forward secrecy will use it, others won't (TLS has builtin protection against downgrade attacks and XMPP clients don't do insecure TLS fallbacks as browsers do). It is desirable, but you have to support clients that can't use it (unless you are sure what kind of clients you use and that they all support forward secrecy and that you do not have s2s connections). You will run into many compatibility problems as there are many clients that do not support it. The point is, you cannot disable cipher suites that do not provide forward secrecy. IMHO you are mistaken, apart from RC4 the current setting is really OK (in fact it was me that contributed it at d2d5138). Reply to this email directly or view it on GitHub /issues/113#issuecomment-29279707 Suites" as there is no such thing, all SSLv3 cipher suites are used also byĪll TLS versions (TLS 1.1/1.2 just adds some new ones). ![]() That while you can disable SSL version 3, you cannot disable "SSLv3 cipher ![]() Options in the p1_tls source, but this is up to developers. Way to setup a server supporting multiple TLS versions (OpenSSL API and itsĭisabling SSLv3 is pretty simple, you must just add SSL_OP_NO_SSLv3 to the OpenSSL it enables all supported TLS versions and is the only usable Please don't be mistaken by the function SSLv23_method(), in If you link it with OpenSSL 1.0.1 you get TLSġ.1/1.2. Underlying OpenSSL library supports (the only exception is that SSLv2 isĮxplicitly disabled). With (Ubuntu contains both OpenSSL 1.0.1 and 0.9.8).Īs for the source code, p1_tls driver will simply use whatever TLS version Please check exactly with what version your p1_tls driver is linked Versions and cipher suite clearly indicates that you are not using OpenSSLġ.0.1. Rid of how to link p1_tls becouse I'm running a binary installation ofĦ Janusz Dziemidowicz it really seems you doesn't. Was just going to send a pull request for SSL_OP_NO_SSLv3, but I can't get Please note that while you can disable SSL version 3, you cannot disable "SSLv3 cipher suites" as there is no such thing, all SSLv3 cipher suites are used also by all TLS versions (TLS 1.1/1.2 just adds some new ones). Please don't be mistaken by the function SSLv23_method(), in OpenSSL it enables all supported TLS versions and is the only usable way to setup a server supporting multiple TLS versions (OpenSSL API and its naming is horrible).ĭisabling SSLv3 is pretty simple, you must just add SSL_OP_NO_SSLv3 to the options in the p1_tls source, but this is up to developers. If you link it with OpenSSL 1.0.1 you get TLS 1.1/1.2. Please check exactly with what version your p1_tls driver is linked with (Ubuntu contains both OpenSSL 1.0.1 and 0.9.8).Īs for the source code, p1_tls driver will simply use whatever TLS version underlying OpenSSL library supports (the only exception is that SSLv2 is explicitly disabled). The set of supported TLS versions and cipher suite clearly indicates that you are not using OpenSSL 1.0.1. Unfortunately, it really seems you don't. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |