[Bug 966793] Re: 19disable_sslv2 patch breaks TLSv1.1
Steve Langasek
steve.langasek at canonical.com
Sun Sep 7 05:59:42 UTC 2014
Utopic now has irssi 0.8.16, so I believe this issue is resolved.
** Changed in: irssi (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to irssi in Ubuntu.
https://bugs.launchpad.net/bugs/966793
Title:
19disable_sslv2 patch breaks TLSv1.1
Status in Irssi:
Confirmed
Status in “irssi” package in Ubuntu:
Fix Released
Bug description:
According to OpenSSL library documentation[1], calling
SSL_CTX_set_options with SSL_OP_NO_SSLv2 is sufficient to disable
SSLv2. ORing that value with SSL_OP_ALL turns on a whole host of
workarounds. These workarounds actually degrade the security of
OpenSSL. A side-effect is that it breaks modern TLSv1.1.
With SSL_OP_ALL | SSL_OP_NO_SSLv2, connecting to a TLS v1.1 server
using FIPS algorithms results in "unknown protocol" (Attached:
irssi-r5136.patch)
With SSL_OP_NO_SSLv2, connecting to a TLSv1.1 server is successful
(Attached: irssi-r5136-revised.patch)
Source package with revised patch applied: https://launchpad.net/~pi-
rho/+archive/security/+files/irssi_0.8.15-4ubuntu3~ppa2~p.dsc
Also, reported upstream at:
http://bugs.irssi.org/index.php?do=details&task_id=841
[1] OpenSSL Documentation, SSL_CTX_set_options:
http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/irssi/+bug/966793/+subscriptions
More information about the foundations-bugs
mailing list