21 Oct
2014
21 Oct
'14
5:33 p.m.
Module: sip-router
Branch: master
Commit: 5fe0d14745303c61d3fafe9decbb735d5424a442
URL:
http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=5fe0d14…
Author: Daniel-Constantin Mierla <miconda(a)gmail.com>
Committer: Daniel-Constantin Mierla <miconda(a)gmail.com>
Date: Tue Oct 21 16:32:26 2014 +0200
tls: note that SSLv3 should not be used if high security is needed
- the note was already for SSLv2
---
modules/tls/README | 6 ++++--
modules/tls/doc/params.xml | 4 +++-
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/modules/tls/README b/modules/tls/README
index 09be2bf..713a65e 100644
--- a/modules/tls/README
+++ b/modules/tls/README
@@ -508,7 +508,8 @@ Revoking a certificate and using a CRL
with openssl/libssl v1.0.1)
* TLSv1 - only TLSv1 connections are accepted. This is the default
value.
- * SSLv3 - only SSLv3 connections are accepted
+ * SSLv3 - only SSLv3 connections are accepted. Note: you shouldn't
+ use SSLv3 for anything which should be highly secure.
* SSLv2 - only SSLv2 connections, for old clients. Note: you
shouldn't use SSLv2 for anything which should be highly secure.
Newer versions of libssl don't include support for it anymore.
@@ -517,7 +518,8 @@ Revoking a certificate and using a CRL
message must be V2 (in the initial hello all the supported
protocols are advertised enabling switching to a higher and more
secure version). This means connections from SSLv3 or TLSv1 clients
- will be accepted.
+ will be accepted. Note: you shouldn't use SSLv2 or SSLv3 for
+ anything which should be highly secure.
If rfc3261 conformance is desired, TLSv1 must be used. For
compatibility with older clients SSLv23 is a good option.
diff --git a/modules/tls/doc/params.xml b/modules/tls/doc/params.xml
index 46de16f..a6e5808 100644
--- a/modules/tls/doc/params.xml
+++ b/modules/tls/doc/params.xml
@@ -39,7 +39,8 @@
</listitem>
<listitem>
<para>
- <emphasis>SSLv3</emphasis> - only SSLv3 connections are accepted
+ <emphasis>SSLv3</emphasis> - only SSLv3 connections are accepted.
+ Note: you shouldn't use SSLv3 for anything which should be highly secure.
</para>
</listitem>
<listitem>
@@ -56,6 +57,7 @@
message must be V2 (in the initial hello all the supported protocols
are advertised enabling switching to a higher and more secure version).
This means connections from SSLv3 or TLSv1 clients will be accepted.
+ Note: you shouldn't use SSLv2 or SSLv3 for anything which should be highly
secure.
</para>
</listitem>
</itemizedlist>
3715
days inactive
3715
days old
0 comments
1 participants
participants (1)
-
Daniel-Constantin Mierla