19disable_sslv2 patch breaks TLSv1.1
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Irssi |
Confirmed
|
Undecided
|
Unassigned | ||
irssi (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
According to OpenSSL library documentation[1], calling SSL_CTX_set_options with SSL_OP_NO_SSLv2 is sufficient to disable SSLv2. ORing that value with SSL_OP_ALL turns on a whole host of workarounds. These workarounds actually degrade the security of OpenSSL. A side-effect is that it breaks modern TLSv1.1.
With SSL_OP_ALL | SSL_OP_NO_SSLv2, connecting to a TLS v1.1 server using FIPS algorithms results in "unknown protocol" (Attached: irssi-r5136.patch)
With SSL_OP_NO_SSLv2, connecting to a TLSv1.1 server is successful (Attached: irssi-r5136-
Source package with revised patch applied: https:/
Also, reported upstream at: http://
[1] OpenSSL Documentation, SSL_CTX_
Attached original patch (named 19disable_sslv2 in the Ubuntu source package, svn revision 5136 in the upstream vcs)