- Status Closed
- Percent Complete
- Task Type Bug Report
- Category core
- Assigned To No-one
- Operating System Linux
- Severity Medium
- Priority Normal
- Reported Version irssi 0.8.15
- Due in Version Undecided
- Due Date Undecided
- Votes 0
- Private No
Attached to Project: Irssi core bugs
Opened by pi-rho (pi-rho) - 2012-03-28
Last edited by Emanuele Giaquinta (ayin) - 2012-06-24
Opened by pi-rho (pi-rho) - 2012-03-28
Last edited by Emanuele Giaquinta (ayin) - 2012-06-24
FS#841 - r5136 (Bazerka, "disable SSLv2") breaks TLS v1.1 servers
According to OpenSSL library documentation[1], calling SSL_CTX_set_options with SSL_OP_NO_SSLv2 is sufficient to disable SSLv2. ORing that value with SSL_OP_ALL turns on a whole host of workarounds. These workarounds actually degrade the security of OpenSSL. A side-effect is that it breaks modern TLSv1.1.
With SSL_OP_ALL | SSL_OP_NO_SSLv2, connecting to a TLS v1.1 server using FIPS algorithms results in "unknown protocol" (Attached: irssi-r5136.patch)
With SSL_OP_NO_SSLv2, connecting to a TLSv1.1 server is successful (Attached: irssi-r5136-revised.patch)
[1] OpenSSL Documentation, SSL_CTX_set_options: http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
With SSL_OP_ALL | SSL_OP_NO_SSLv2, connecting to a TLS v1.1 server using FIPS algorithms results in "unknown protocol" (Attached: irssi-r5136.patch)
With SSL_OP_NO_SSLv2, connecting to a TLSv1.1 server is successful (Attached: irssi-r5136-revised.patch)
[1] OpenSSL Documentation, SSL_CTX_set_options: http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
irssi-r5136.patch
This task does not depend on any other tasks.
Closed by Emanuele Giaquinta (ayin)
Sunday, 24 June 2012, 10:57 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in r5216.
Sunday, 24 June 2012, 10:57 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in r5216.