On sab, nov 08, 2014 at 04:27:57 +0100, Kurt Roeckx wrote: > On Sat, Nov 08, 2014 at 03:22:50PM +0100, Alessandro Ghedini wrote: > > On sab, nov 08, 2014 at 01:15:14 +0100, Kurt Roeckx wrote: > > > Package: curl > > > Severity: important > > > Tags: patch > > > > > > Hi, > > > > > > I would like to get rid of the SSLv3 methods in openssl. > > > > Is this a jessie objective? If not, it will have to wait until after the > > freeze. > > It is for me, not sure about the release team's point of view. > And I'm guessing it's going to depend on how many of those bugs I > can get fixed.
Let's put it this way, I won't upload anything to unstable unless I know that it'll migrate to testing (at least until the 5th of december or so which is IIRC the limit for unstable->jessie unblocks). So, unless the release team gives you the ok, the most I can do is upload to experimental. I have nothing against this report, but I'd also like to be able to have sid->jessie migrations for as long as possible if needed, in order to avoid having to prepare 3 different package uploads in case of problems. > > > The patch brings curl in the same state as for SSLv2 in that it > > > doesn't try and use SSLv3 methods when openssl is build without > > > SSLv3 support. > > > > The patch you posted is incomplete (there's another switch that needs to be > > ifdeffed). I'll try to put something together and forward it upstream. > > You mean the part that sets options? I see no point in doing that > since you shouldn't be able to reach that point, it does nothing > wrong, and it builds just fine. Yeah, it looks like you are right. Anyway, I already forwarded the patch upstream. > > Anyway, note that there are still quite a bit of SSLv3-only servers > > (particularly Windows servers) that don't work with TLSv1.x at all (like, > > they > > even fail during the handshake if you dare propose TLS1 to them). > > What version of windows are you talking about in that case? Even > windows NT 4.0 supports TLS 1.0. TBH I have no idea, but I've received plenty of bug reports about curl not being able to connect to Windows servers and it later turned out that the Windows thingy broke during the handshake because they didn't know about TLS1+. I'm assuming a really really old Windows version though. Cheers
signature.asc
Description: Digital signature
