[Spice-devel] [PATCH spice-server v2] reds: Disable TLS 1.0
Victor Toso
victortoso at redhat.com
Mon Feb 12 14:49:39 UTC 2018
Hey,
----- Original Message -----
> TLS 1.0 is considered now insecure.
> TLS 1.1 was introduced in 2006.
> Our SPICE clients uses OpenSSL to use TLS and the support for TLS 1.1
> in OpenSSL was introduced in 2006 too so even in systems like
> Windows XP which are not officially supporting TLS 1.0 will work
> with SPICE and TLS 1.1.
> This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1521053.
Yes, this should be fine. Ack.
>
> Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
> ---
> server/reds.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> Changes since v1:
> - update comment to be more precise.
>
> diff --git a/server/reds.c b/server/reds.c
> index fa5e838a..a31ed4e9 100644
> --- a/server/reds.c
> +++ b/server/reds.c
> @@ -2728,10 +2728,10 @@ static int reds_init_ssl(RedsState *reds)
> static GOnce openssl_once = G_ONCE_INIT;
> const SSL_METHOD *ssl_method;
> int return_code;
> - /* Limit connection to TLSv1 only.
> + /* Limit connection to TLSv1.1 or newer.
> * When some other SSL/TLS version becomes obsolete, add it to this
> * variable. */
> - long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
> SSL_OP_NO_COMPRESSION;
> + long ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
> SSL_OP_NO_COMPRESSION | SSL_OP_NO_TLSv1;
>
> /* Global system initialization*/
> g_once(&openssl_once, openssl_global_init, NULL);
> --
> 2.14.3
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/spice-devel
>
More information about the Spice-devel
mailing list