[ejabberd] poodle and linux versions

Peter Viskup skupko.sk at gmail.com
Fri Oct 17 15:51:05 MSK 2014


You should consider implementation of TLS_FALLBACK_SCSV [1] too.
Be sure the patch for CVE-2014-3568 is applied to your OpenSSL library.

I was in touch with new ejabberd maintainers and they don't have time for
backporting all the packages for wheezy. It's a lot of work due to
complicated dependencies. I started with the work, but didn't have time to
finish it either. Can come back to you once available.

[1] https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

On Thu, Oct 16, 2014 at 8:08 PM, Randy Bush <randy at psg.com> wrote:

> Well, the approach (patch and rebuild rather than jumping to 14.07)
> may be reasonable, but the suggested patch is wrong.  The file in
> question is ejabberd/src/tls/tls_drv.c.  The suggested patch is:
>
> > - #define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2"
> > + #define CIPHERS "DEFAULT:!EXPORT:!LOW:!SSLv2:!SSLv3"
>
> which changes the cipher list, not the protocol list.
>
> I think the right patch, if we take this path, is:
>
> -       SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_TICKET);
> +       SSL_CTX_set_options(ctx,
> SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TICKET);
>
> Granted, one might //also// want to tweak the cipher list as long as
> one has the cover off, but Poodle is about protocol, not cipher.
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.jabber.ru/pipermail/ejabberd/attachments/20141017/e85488a7/attachment.html>


More information about the ejabberd mailing list