Thanks to visit codestin.com
Credit goes to github.com

Skip to content

ssl: dump the SSL ciphers in favour of TLS #2625

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 23, 2014
Merged

ssl: dump the SSL ciphers in favour of TLS #2625

merged 1 commit into from
Oct 23, 2014

Conversation

carlosmn
Copy link
Member

All versions of SSL are considered deprecated now, so let's ask OpenSSl
to only use TLSv1. We still ask it to load those ciphers for
compatibility with servers which want to use an older hello but will use
TLS for encryption.

This should also go into the maintenance release IMHO.

@carlosmn carlosmn mentioned this pull request Oct 18, 2014
Closed
5 tasks
@ethomson
Copy link
Member

Gah, yes, these should definitely be disabled.

What do you think about also adding SSL_OP_NO_COMPRESSION in case we bump into an older openssl that allows zlib on TLS and is potentially susceptible to CRIME?

@carlosmn
Copy link
Member Author

That makes sense, putting compression on this level of the stack seems silly at best.

@carlosmn
Copy link
Member Author

My copy of OpenSSL on the Mac does not have SSL_OP_NO_COMPRESSION. It's not in the documentation for OpenSSL either. Has that maybe been removed?

@ethomson
Copy link
Member

My OpenSSL (Ubuntu Wheezy) defines it - I suspect it's been removed in newer OpenSSL versions. (Though isn't Apple's OpenSSL a wrapper around SecureTransport? I forget.)

It would be nice to ifdef this - I think disabling compression (if possible) would be helpful?

@ethomson
Copy link
Member

Sigh. Indeed I meant Debian Wheezy, further confirming that Microsofties don't know anything about Linux.

@carlosmn
ssl: dump the SSL ciphers in favour of TLS
f0f9737 
All versions of SSL are considered deprecated now, so let's ask OpenSSl
to only use TLSv1. We still ask it to load those ciphers for
compatibility with servers which want to use an older hello but will use
TLS for encryption.

For good measure we also disable compression, which can be exploitable,
if the OpenSSL version supports it.
@carlosmn
Copy link
Member Author

There you go, compression disabled where OpenSSL knows about it.

ethomson added a commit that referenced this pull request Oct 23, 2014
@ethomson
Merge pull request #2625 from libgit2/cmn/ssl-tls
d676af4 
ssl: dump the SSL ciphers in favour of TLS
@ethomson ethomson merged commit d676af4 into master Oct 23, 2014
@ethomson
Copy link
Member

Awesome.

@carlosmn carlosmn deleted the cmn/ssl-tls branch October 25, 2014 18:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@carlosmn @ethomson