#2555: Client unable to connect with recent openSSL library / disable SSLv3
usage
---------------------+--------------------
Reporter: jor123 | Owner:
Type: bug | Status: new
Priority: major | Milestone: 1.3.x
Component: Core | Version: 1.3.10
Resolution: | Keywords:
---------------------+--------------------
Comment (by jor123):
Yes, makes sense to use TLS 1.2 when interoperability with older
clients/servers (on WinXP or Android 2.x?) is not an issue.
And regarding the helpfulness of Debian: that's probably a bit off-topic
for this bug report... so I'll try to keep it short :)
Yes, the only known exploit is with the HTTP protocol (and a browser with
javascript), but others could be similarly vulnerable. I'm not familiar
with the used RPC protocol, are you absolutely sure it's not vulnerable?
(no session-id like content? can I maybe manipulate the content of rpc
messages by doing something through the torrent protocol?)
Anyway, I believe the general consensus is to phase out the usage of sslv3
before more exploits show up.
It's only in Debian 'unstable' distribution for now, probably one of the
few places where something like this can be phased out more quickly and
get some testing to see what breaks :)
I suspect other distributions (and OpenSSL itself) will follow in their
next major releases.
--
Ticket URL: <http://dev.deluge-torrent.org/ticket/2555#comment:3>
Deluge <http://deluge-torrent.org/>
Deluge Project
--
You received this message because you are subscribed to the Google Groups
"Deluge Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/deluge-dev.
For more options, visit https://groups.google.com/d/optout.
