[sr-dev] git:master: tls: note that SSLv3 should not be used if high security is needed

Daniel-Constantin Mierla miconda at gmail.com
Tue Oct 21 16:33:38 CEST 2014 

Module: sip-router
Branch: master
Commit: 5fe0d14745303c61d3fafe9decbb735d5424a442
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=5fe0d14745303c61d3fafe9decbb735d5424a442

Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date:   Tue Oct 21 16:32:26 2014 +0200

tls: note that SSLv3 should not be used if high security is needed

- the note was already for SSLv2

---

 modules/tls/README         |    6 ++++--
 modules/tls/doc/params.xml |    4 +++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/modules/tls/README b/modules/tls/README
index 09be2bf..713a65e 100644
--- a/modules/tls/README
+++ b/modules/tls/README
@@ -508,7 +508,8 @@ Revoking a certificate and using a CRL
        with openssl/libssl v1.0.1)
      * TLSv1 - only TLSv1 connections are accepted. This is the default
        value.
-     * SSLv3 - only SSLv3 connections are accepted
+     * SSLv3 - only SSLv3 connections are accepted. Note: you shouldn't
+       use SSLv3 for anything which should be highly secure.
      * SSLv2 - only SSLv2 connections, for old clients. Note: you
        shouldn't use SSLv2 for anything which should be highly secure.
        Newer versions of libssl don't include support for it anymore.
@@ -517,7 +518,8 @@ Revoking a certificate and using a CRL
        message must be V2 (in the initial hello all the supported
        protocols are advertised enabling switching to a higher and more
        secure version). This means connections from SSLv3 or TLSv1 clients
-       will be accepted.
+       will be accepted. Note: you shouldn't use SSLv2 or SSLv3 for
+       anything which should be highly secure.
 
    If rfc3261 conformance is desired, TLSv1 must be used. For
    compatibility with older clients SSLv23 is a good option.
diff --git a/modules/tls/doc/params.xml b/modules/tls/doc/params.xml
index 46de16f..a6e5808 100644
--- a/modules/tls/doc/params.xml
+++ b/modules/tls/doc/params.xml
@@ -39,7 +39,8 @@
 			</listitem>
 			<listitem>
 				<para>
-				<emphasis>SSLv3</emphasis> - only SSLv3 connections are accepted
+				<emphasis>SSLv3</emphasis> - only SSLv3 connections are accepted.
+				Note: you shouldn't use SSLv3 for anything which should be highly secure.
 				</para>
 			</listitem>
 			<listitem>
@@ -56,6 +57,7 @@
 				message must be V2 (in the initial hello all the supported protocols
 				are advertised enabling switching to a higher and more secure version).
 				This means connections from SSLv3 or TLSv1 clients will be accepted.
+				Note: you shouldn't use SSLv2 or SSLv3 for anything which should be highly secure.
 				</para>
 			</listitem>
 	</itemizedlist>

More information about the sr-dev mailing list