[sr-dev] git:master:99311ce3: tls: more documentation about tls method values

Fri Jan 2 11:24:58 CET 2015

Module: kamailio
Branch: master
Commit: 99311ce3fd37eebd4c9f37d25b043c4fae8dd621
URL: https://github.com/kamailio/kamailio/commit/99311ce3fd37eebd4c9f37d25b043c4fae8dd621

Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2015-01-02T11:21:39+01:00

tls: more documentation about tls method values

- added notes about tls minimum versions

---

Modified: modules/tls/doc/params.xml

---

Diff:  https://github.com/kamailio/kamailio/commit/99311ce3fd37eebd4c9f37d25b043c4fae8dd621.diff
Patch: https://github.com/kamailio/kamailio/commit/99311ce3fd37eebd4c9f37d25b043c4fae8dd621.patch

---

diff --git a/modules/tls/doc/params.xml b/modules/tls/doc/params.xml
index a6e5808..ecd5802 100644
--- a/modules/tls/doc/params.xml
+++ b/modules/tls/doc/params.xml
@@ -27,14 +27,26 @@
 			</listitem>
 			<listitem>
 				<para>
+				<emphasis>TLSv1.1+</emphasis> - TLSv1.1 or newer (TLSv1.2, ...)
+				connections are accepted (available starting with openssl/libssl v1.0.1)
+				</para>
+			</listitem>
+			<listitem>
+				<para>
 				<emphasis>TLSv1.1</emphasis> - only TLSv1.1 connections are accepted
 				(available starting with openssl/libssl v1.0.1)
 				</para>
 			</listitem>
 			<listitem>
 				<para>
-				<emphasis>TLSv1</emphasis> - only TLSv1 connections are accepted.
-				This is the default value.
+				<emphasis>TLSv1+</emphasis> - TLSv1.0 or newer (TLSv1.1, TLSv1.2, ...)
+				connections are accepted.
+				</para>
+			</listitem>
+			<listitem>
+				<para>
+				<emphasis>TLSv1</emphasis> - only TLSv1 (TLSv1.0) connections are
+				accepted. This is the default value.
 				</para>
 			</listitem>
 			<listitem>
@@ -52,17 +64,30 @@
 			</listitem>
 			<listitem>
 				<para>
-				<emphasis>SSLv23</emphasis> - any of the SSLv2, SSLv3 and TLSv1 methods
-				will be accepted, with the following limitation: the initial SSL hello
-				message must be V2 (in the initial hello all the supported protocols
-				are advertised enabling switching to a higher and more secure version).
-				This means connections from SSLv3 or TLSv1 clients will be accepted.
-				Note: you shouldn't use SSLv2 or SSLv3 for anything which should be highly secure.
+				<emphasis>SSLv23</emphasis> - any of the SSLv2, SSLv3 and TLSv1 or
+				newer methods will be accepted.
+				</para>
+				<para>
+				From OpenSSL manual: "A TLS/SSL connection established with these
+				methods may understand the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols.
+				If extensions are required (for example server name) a client will
+				send out TLSv1 client hello messages including extensions and will
+				indicate that it also understands TLSv1.1, TLSv1.2 and permits a
+				fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1
+				and TLSv1.2 protocols. This is the best choice when compatibility
+				is a concern."
+				</para>
+				<para>
+				Note: For older libssl version, this option allows SSLv2, with hello
+				messages done over SSLv2. You shouldn't use SSLv2 or SSLv3 for anything
+				which should be highly secure.
 				</para>
 			</listitem>
 	</itemizedlist>
 	<para>
-		If rfc3261 conformance is desired,  TLSv1 must be used. For compatibility with older clients SSLv23 is a good option.
+		If rfc3261 conformance is desired, at least TLSv1 must be used. For
+		compatibility with older clients SSLv23 is the option, but again, be aware
+		of security concerns, SSLv2/3 being considered very insecure by 2014.
 	</para>
 	<example>
 	    <title>Set <varname>tls_method</varname> parameter</title>


