Module: kamailio Branch: master Commit: 99311ce3fd37eebd4c9f37d25b043c4fae8dd621 URL: https://github.com/kamailio/kamailio/commit/99311ce3fd37eebd4c9f37d25b043c4… Author: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Committer: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Date: 2015-01-02T11:21:39+01:00 tls: more documentation about tls method values - added notes about tls minimum versions --- Modified: modules/tls/doc/params.xml --- Diff: https://github.com/kamailio/kamailio/commit/99311ce3fd37eebd4c9f37d25b043c4… Patch: https://github.com/kamailio/kamailio/commit/99311ce3fd37eebd4c9f37d25b043c4… --- diff --git a/modules/tls/doc/params.xml b/modules/tls/doc/params.xml index a6e5808..ecd5802 100644 --- a/modules/tls/doc/params.xml +++ b/modules/tls/doc/params.xml @@ -27,14 +27,26 @@ </listitem> <listitem> <para> + <emphasis>TLSv1.1+</emphasis> - TLSv1.1 or newer (TLSv1.2, ...) + connections are accepted (available starting with openssl/libssl v1.0.1) + </para> + </listitem> + <listitem> + <para> <emphasis>TLSv1.1</emphasis> - only TLSv1.1 connections are accepted (available starting with openssl/libssl v1.0.1) </para> </listitem> <listitem> <para> - <emphasis>TLSv1</emphasis> - only TLSv1 connections are accepted. - This is the default value. + <emphasis>TLSv1+</emphasis> - TLSv1.0 or newer (TLSv1.1, TLSv1.2, ...) + connections are accepted. + </para> + </listitem> + <listitem> + <para> + <emphasis>TLSv1</emphasis> - only TLSv1 (TLSv1.0) connections are + accepted. This is the default value. </para> </listitem> <listitem> @@ -52,17 +64,30 @@ </listitem> <listitem> <para> - <emphasis>SSLv23</emphasis> - any of the SSLv2, SSLv3 and TLSv1 methods - will be accepted, with the following limitation: the initial SSL hello - message must be V2 (in the initial hello all the supported protocols - are advertised enabling switching to a higher and more secure version). - This means connections from SSLv3 or TLSv1 clients will be accepted. - Note: you shouldn't use SSLv2 or SSLv3 for anything which should be highly secure. + <emphasis>SSLv23</emphasis> - any of the SSLv2, SSLv3 and TLSv1 or + newer methods will be accepted. + </para> + <para> + From OpenSSL manual: "A TLS/SSL connection established with these + methods may understand the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. + If extensions are required (for example server name) a client will + send out TLSv1 client hello messages including extensions and will + indicate that it also understands TLSv1.1, TLSv1.2 and permits a + fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 + and TLSv1.2 protocols. This is the best choice when compatibility + is a concern." + </para> + <para> + Note: For older libssl version, this option allows SSLv2, with hello + messages done over SSLv2. You shouldn't use SSLv2 or SSLv3 for anything + which should be highly secure. </para> </listitem> </itemizedlist> <para> - If rfc3261 conformance is desired, TLSv1 must be used. For compatibility with older clients SSLv23 is a good option. + If rfc3261 conformance is desired, at least TLSv1 must be used. For + compatibility with older clients SSLv23 is the option, but again, be aware + of security concerns, SSLv2/3 being considered very insecure by 2014. </para> <example> <title>Set <varname>tls_method</varname> parameter</title>