[Pkg-voip-commits] [resiprocate] 03/03: Sync repro.config from upstream

Daniel Pocock pocock at moszumanska.debian.org
Sun Dec 7 18:14:21 UTC 2014 

This is an automated email from the git hooks/post-receive script.

pocock pushed a commit to branch master
in repository resiprocate.

commit 346fb4d6f47fc9bba2eeda079d7735222b6db9f4
Author: Daniel Pocock <daniel at pocock.pro>
Date:   Sun Dec 7 18:32:14 2014 +0100

    Sync repro.config from upstream
---
 debian/conf/repro.config | 54 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/debian/conf/repro.config b/debian/conf/repro.config
index 60fbe08..62f95df 100644
--- a/debian/conf/repro.config
+++ b/debian/conf/repro.config
@@ -89,6 +89,24 @@ TLSPrivateKey =
 #    SIP messages coming from the peer
 TLSClientVerification = None
 
+# The SSL or TLS connection mode to use
+# SSL v2 and v3 are deprecated and SSL v2 is particularly insecure
+# and should be avoided.
+# TLSv1 was the default up to and including reSIProcate v1.9.7.
+# With the setting TLSv1, only TLS v1.0 could be used
+# and not TLS v1.1 or newer versions.
+# The value SSLv23 works as a catch-all and gives the potential
+# to allow all the SSL and TLS versions.  Despite the name SSLv23, it
+# does not allow SSL v2.0 or v3.0 if the SSL_CTX_set_options method is used
+# to prohibit them.
+# See the page https://www.openssl.org/docs/ssl/SSL_CTX_new.html
+# for a more detailed discussion of how repro will behave when
+# using the values SSLv23 or TLSv1 here.
+# For optimal security and compatibility, set SSLv23 here and make sure
+# that the parameter OpenSSLCTXSetOptions (later in repro.config)
+# contains the values SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3
+TLSConnectionMethod = SSLv23
+
 # Whether we accept the subjectAltName email address as if it was a SIP
 # address (when checking the validity of a client certificate)
 # Very few commercial CAs offer support for SIP addresses in subjectAltName
@@ -109,6 +127,7 @@ TLSUseEmailAsSIP = false
 # Transport<Num>TlsCertificate = <TLSCertificate> - only for TLS, DTLS or WSS
 # Transport<Num>TlsPrivateKey = <TLSPrivateKey> - only for TLS, DTLS or WSS
 # Transport<Num>TlsClientVerification = <'None'|'Optional'|'Mandatory'> - default is None
+# Transport<Num>TlsConnectionMethod = <'TLSv1'|'SSLv23'> - default is SSLv23
 # Transport<Num>RecordRouteUri = <'auto'|URI> - if set to auto then record route URI
 #                                               is automatically generated from the other
 #                                               transport settings.  Otherwise explicity
@@ -316,6 +335,41 @@ CADirectory = /etc/ssl/certs
 # includes the class 1 root and the class 3 root (signed by the class 1 root)
 #CAFile = /etc/ssl/certs/cacert.org.pem
 
+# This option specifies flags to be passed to OpenSSL's
+# SSL_CTX_set_options method after creating the SSL context
+# for a transport.
+#
+# The flags here are added (logical OR) to any existing flags already
+# set by default within the OpenSSL stack.
+#
+# By default, the reSIProcate stack adds flags SSL_OP_NO_SSLv2
+# and SSL_OP_NO_SSLv3 flags which disable deprecated and insecure
+# SSL versions.  To add more flags, uncomment the line below and add
+# the flags required, separated by commas.
+#OpenSSLCTXSetOptions = SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3
+
+# This option specifies flags to be passed to OpenSSL's
+# SSL_CTX_clear_options method after creating the SSL context
+# for a transport.
+#
+# The flags here are removed from any existing flags
+# already set by default within the OpenSSL stack.
+#
+# To clear the option SSL_OP_NO_SSLv3 and get SSLv3 support
+# (not recommended for security reasons), uncomment the example below:
+#OpenSSLCTXClearOptions = SSL_OP_NO_SSLv3
+
+# This parameter specifies the cipher list to be passed to
+# SSL_CTX_set_cipher_list.
+# The default value is defined in the code as BaseSecurity::ExportableSuite
+# Uncomment the line below and add or remove cipher names as required.
+# See https://www.openssl.org/docs/apps/ciphers.html for details
+# of the format of this parameter.
+#OpenSSLCipherList = !SSLv2:aRSA+AES:aDSS+AES:@STRENGTH:aRSA+3DES:aDSS+3DES:aRSA+RC4+MEDIUM:aDSS+RC4+MEDIUM:aRSA+DES:aDSS+DES:aRSA+RC4:aDSS+RC4
+
+# and a slightly strong cipher list:
+#OpenSSLCipherList = !SSLv2:aRSA+AES:aDSS+AES:@STRENGTH:aRSA+3DES:aDSS+3DES
+
 # The Path to read and write Berkely DB database files
 DatabasePath = /var/lib/repro
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-voip/resiprocate.git

More information about the Pkg-voip-commits mailing list