[Spice-devel] [PATCH spice-server v2] Use TLS version 1.0 or better

Christophe Fergeau cfergeau at redhat.com
Wed Nov 27 08:48:47 PST 2013 

On Wed, Nov 27, 2013 at 05:39:31PM +0100, David Jaša wrote:
> From fe1531dfae23baa6dfc8b88e08f273906196e1c5 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?David=20Ja=C5=A1a?= <djasa at redhat.com>
> Date: Wed, 27 Nov 2013 17:04:41 +0100
> Subject: [PATCH] Use TLS version 1.0 or better
> 
> When creating a TLS socket, both spice-server and spice-gtk currently
> call SSL_CTX_new(TLSv1_method()). The TLSv1_method() function set the
> protocol version to TLS 1.0 exclusively. The correct way to support
> multiple protocol versions is to call SSLv23_method() in spite of its
> scary name. This method will enable all protocol versions deemed secure
> by openssl project.

This is not what the manpage says

SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void)

           A TLS/SSL connection established with these methods will understand
the SSLv2, SSLv3, and TLSv1 protocol. A client will send out SSLv2 client hello
messages and will indicate that it also understands SSLv3 and TLSv1. A server
will understand SSLv2, SSLv3, and TLSv1 client hello messages. This is the best
choice when compatibility is a concern.

(nothing about protocol versions deemed secure or not secure)

> ---
>  server/reds.c |   10 +++++++++-
>  1 files changed, 9 insertions(+), 1 deletions(-)
> 
> diff --git a/server/reds.c b/server/reds.c
> index 2a0002b..fef666d 100644
> --- a/server/reds.c
> +++ b/server/reds.c
> @@ -3221,6 +3221,14 @@ static int reds_init_ssl(void)
>      SSL_METHOD *ssl_method;
>  #endif
>      int return_code;
> +    /* When some other SSL/TLS version becomes obsolete, add it to this
> +     * variable.
> +     *
> +     * Note that SSLv23_method() even with no SSL_OP_NO_* options uses
> +     * just protocol versions deemed secure by openssl project so the
> +     * SSL_OP_NO_SSLv2 is already redundant

Same comment

> +     * and SSL_OP_NO_SSLv3 option is
> +     * present just in order to allow only currently-availabe version or

s/availabe/available

> +     * better. */
>      long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
>  
>      /* Global system initialization*/
> @@ -3228,7 +3236,7 @@ static int reds_init_ssl(void)
>      SSL_load_error_strings();
>  
>      /* Create our context*/
> -    ssl_method = TLSv1_method();
> +    ssl_method = SSLv23_method();
>      reds->ctx = SSL_CTX_new(ssl_method);
>      if (!reds->ctx) {
>          spice_warning("Could not allocate new SSL context");



> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20131127/a63f114e/attachment.pgp>

More information about the Spice-devel mailing list