[Pkg-ace-devel] SSLv2

Thomas Girard thomas.g.girard at free.fr
Sun May 1 11:42:13 UTC 2011 

Hello,

it's a bit late to look into this, sorry about that.

Le 25/04/2011 10:00, Pau Garcia i Quiles a écrit :
> I am not sure how to disable it:
> 
> a) Keep the SSLv2 entries in the enumerations but make them actually use SSLv3.
> 
> This is what I did yesterday but after doing it I am not sure it's the
> best choice.
> 
> It has the advantage if the application uses Debian on both sides,
> there is no need for changes in the application. On the other hand, it
> may lead to very weird to debug situations if you are connecting to an
> SSLv2-only service that is not using Debian on the other side ("hey,
> I'm telling it to use SSLv2 yet it fails", yeah, it's because ACE
> SSLv2 is actually ACE SSLv3).
> 
> 
> 
> b) Completely remove SSLv2
> 
> Meaning: including removal from the enumerations, but keeping the
> blanks for the former SSLv2 values (to avoid renumerating the
> enumerations).
> 
> Advantage: it makes explicit SSLv2 is no longer supported.
> 
> Disadvantage: I need to check what happens with SSLv23 calls, I can't
> remember if the code is easy transformable to SSLv3 calls
> 
> I think this is the best choice.

My understanding of this is that when using set_mode({1,2,3}) for SSLv2
or set_mode({7,8,9}) for SSLv23 then the mode will be silently changed
to SSLv3 method. Am I correct?

The enum members were removed, but there are cases were it could harm:

 - if there is a client-server mode negotiation, and the other side
   sends this now removed value (e.g. another ORB, or an unpatched TAO
   on Windows).

   => is there a client-server mode negotiation?

 - if a program was compiled with the previous header version, then it
   would have captured the enum value, hence switching to v3
   automatically.

I'm also quite surprised by the default: clause in the original code.
Not defensive: if you pass any garbage input, you get SSLv3.

After thinking about this, I'm not sure solution b) is the right
approach.

> c) Just disable SSLv2
> 
> Meaning: keep the enumerations, keep the methods, but instead of
> making the calls to OpenSSL, fail. IMHO we should completely discard
> this.

Why should it be a bad idea?

Regards,

Thomas

More information about the Pkg-ace-devel mailing list