On Oct 16, 2014, at 7:41 PM, Pascal Dallaire <pascaldalla...@cre-gim.net> wrote:
> Hello there,
>
> Thanks for answering so quickly! I’m trying to use the older variants method
> before I upgrade the Calendar server completely. But in this patch, isn’t the
> best method TLSv1? and not SSLv23?
I was confused by this, too. According to
https://www.openssl.org/docs/ssl/SSL_CTX_new.html
SSLv23_method is a catch-all, allowing connections using SSLv2, SSLv3, TLSv1,
TLSv1.1 and TLSv1.2 protocols. You can then exclude particular protocols using,
e.g.,
SSL_OP_NO_TLSv1_1
to exclude TLSv1.1 (while still allowing the others).
By contrast, TLSv1_method (or SSLv3_method) allows only connections using that
particular protocol (respectively TLSv1 and SSLv3).
That may be OK. All (or almost all) clients speak TLSv1. But it would be
preferable to allow them to negotiate a TLSv1.2 connection if possible.
>
> Pascal
>
> Le 2014-10-16 à 12:42, Cyrus Daboo <cda...@apple.com> a écrit :
>
>> Hi Pascal,
>>
>> --On October 16, 2014 at 12:38:37 PM -0400 Pascal Dallaire
>> <pascaldalla...@cre-gim.net> wrote:
>>
>>> What is the way to disable SSLv3 in CalendarServer to protect against
>>> POODLE?
>>
>> Our trunk code has the fix. The svn diff for the change is here:
>>
>> <https://trac.calendarserver.org/changeset/14035>
>>
>> Depending on what version you are using, you should be able to apply that
>> change relatively easily. Older variants might also need the following
>> applied:
>>
>> <https://trac.calendarserver.org/changeset/14062>
>>
>> --
>> Cyrus Daboo
>
> _______________________________________________
> calendarserver-users mailing list
> calendarserver-users@lists.macosforge.org
> https://lists.macosforge.org/mailman/listinfo/calendarserver-users
>
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ calendarserver-users mailing list calendarserver-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/calendarserver-users
