[sr-dev] git:master:5573fded: tls: refreshed the README

Daniel-Constantin Mierla miconda at gmail.com
Fri Jan 2 11:24:59 CET 2015 

Module: kamailio
Branch: master
Commit: 5573fded91a0dc330003ba064e524407d92b2a8a
URL: https://github.com/kamailio/kamailio/commit/5573fded91a0dc330003ba064e524407d92b2a8a

Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2015-01-02T11:22:21+01:00

tls: refreshed the README

---

Modified: modules/tls/README

---

Diff:  https://github.com/kamailio/kamailio/commit/5573fded91a0dc330003ba064e524407d92b2a8a.diff
Patch: https://github.com/kamailio/kamailio/commit/5573fded91a0dc330003ba064e524407d92b2a8a.patch

---

diff --git a/modules/tls/README b/modules/tls/README
index 713a65e..aaa7b0b 100644
--- a/modules/tls/README
+++ b/modules/tls/README
@@ -504,25 +504,37 @@ Revoking a certificate and using a CRL
    Sets the SSL/TLS protocol method. Possible values are:
      * TLSv1.2 - only TLSv1.2 connections are accepted (available starting
        with openssl/libssl v1.0.1e)
+     * TLSv1.1+ - TLSv1.1 or newer (TLSv1.2, ...) connections are accepted
+       (available starting with openssl/libssl v1.0.1)
      * TLSv1.1 - only TLSv1.1 connections are accepted (available starting
        with openssl/libssl v1.0.1)
-     * TLSv1 - only TLSv1 connections are accepted. This is the default
-       value.
+     * TLSv1+ - TLSv1.0 or newer (TLSv1.1, TLSv1.2, ...) connections are
+       accepted.
+     * TLSv1 - only TLSv1 (TLSv1.0) connections are accepted. This is the
+       default value.
      * SSLv3 - only SSLv3 connections are accepted. Note: you shouldn't
        use SSLv3 for anything which should be highly secure.
      * SSLv2 - only SSLv2 connections, for old clients. Note: you
        shouldn't use SSLv2 for anything which should be highly secure.
        Newer versions of libssl don't include support for it anymore.
-     * SSLv23 - any of the SSLv2, SSLv3 and TLSv1 methods will be
-       accepted, with the following limitation: the initial SSL hello
-       message must be V2 (in the initial hello all the supported
-       protocols are advertised enabling switching to a higher and more
-       secure version). This means connections from SSLv3 or TLSv1 clients
-       will be accepted. Note: you shouldn't use SSLv2 or SSLv3 for
-       anything which should be highly secure.
-
-   If rfc3261 conformance is desired, TLSv1 must be used. For
-   compatibility with older clients SSLv23 is a good option.
+     * SSLv23 - any of the SSLv2, SSLv3 and TLSv1 or newer methods will be
+       accepted.
+       From OpenSSL manual: "A TLS/SSL connection established with these
+       methods may understand the SSLv3, TLSv1, TLSv1.1 and TLSv1.2
+       protocols. If extensions are required (for example server name) a
+       client will send out TLSv1 client hello messages including
+       extensions and will indicate that it also understands TLSv1.1,
+       TLSv1.2 and permits a fallback to SSLv3. A server will support
+       SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. This is the best
+       choice when compatibility is a concern."
+       Note: For older libssl version, this option allows SSLv2, with
+       hello messages done over SSLv2. You shouldn't use SSLv2 or SSLv3
+       for anything which should be highly secure.
+
+   If rfc3261 conformance is desired, at least TLSv1 must be used. For
+   compatibility with older clients SSLv23 is the option, but again, be
+   aware of security concerns, SSLv2/3 being considered very insecure by
+   2014.
 
    Example 1.3. Set tls_method parameter
 ...

More information about the sr-dev mailing list