irssibot
commented
12 years ago -
-
- Attachment 278 by @pi-rho
-
irssi-r5136.patch
Index: src/core/network-openssl.c
===================================================================
--- src/core/network-openssl.c (revision 5135)
+++ src/core/network-openssl.c (revision 5136)
@@ -406,6 +406,7 @@
g_error("Could not allocate memory for SSL context");
return NULL;
}
+ SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
if (mycert && *mycert) {
char *scert = NULL, *spkey = NULL;
According to OpenSSL library documentation[1], calling SSL_CTX_set_options with SSL_OP_NO_SSLv2 is sufficient to disable SSLv2. ORing that value with SSL_OP_ALL turns on a whole host of workarounds. These workarounds actually degrade the security of OpenSSL. A side-effect is that it breaks modern TLSv1.1.
With SSL_OP_ALL | SSL_OP_NO_SSLv2, connecting to a TLS v1.1 server using FIPS algorithms results in "unknown protocol" (Attached: irssi-r5136.patch)
With SSL_OP_NO_SSLv2, connecting to a TLSv1.1 server is successful (Attached: irssi-r5136-revised.patch)
[1] OpenSSL Documentation, SSL_CTX_set_options: http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html