Thread: SSL (patch 2)

SSL (patch 2)

From
Bear Giles
Date:
This patch adds calls to SSL_get_error() after SSL_read() and
SSL_write(), adds SSL_shutdown() before SSL_free(), and changes
default protocol from SSLv3 to TLSv1.

Bear

Attachment

Re: SSL (patch 2)

From
Peter Eisentraut
Date:
Bear Giles writes:

> This patch adds calls to SSL_get_error() after SSL_read() and
> SSL_write(), adds SSL_shutdown() before SSL_free(), and changes
> default protocol from SSLv3 to TLSv1.

What are the advantages and ramifications of changing this protocol?  If
it's the "default" protocol, how can I change it?  Patch is OK besides
that.

--
Peter Eisentraut   peter_e@gmx.net



Re: SSL (patch 2)

From
Bear Giles
Date:
> Bear Giles writes:
>
> > This patch adds calls to SSL_get_error() after SSL_read() and
> > SSL_write(), adds SSL_shutdown() before SSL_free(), and changes
> > default protocol from SSLv3 to TLSv1.
>
> What are the advantages and ramifications of changing this protocol?  If
> it's the "default" protocol, how can I change it?  Patch is OK besides
> that.

It's politics.  SSL was written by Netscape, Microsoft came out with
their own incompatible extensions, and the IETF formed a group to find
a solution that left nobody happy but which everyone could live with.
It would have been adopted years ago except that the X.509 group
got hung up on something, and since TLS depends on X.509 it couldn't
be adopted until X.509 was.

So now SSL is essentially dead - it works, but it won't be fixed if
another security hole is found (which how SSLv2 begat SSLv3).  TLSv1
wants you to do some things that SSLv3 lets slide.

The only potential downside is that I'm not entirely sure old libraries
will be happy with the new server, but the rest of the changes are so
profound that the release notes should strongly recommend that anyone
using direct SSL upgrade anyway, so it's easier to make this change now
than in a future release.

Bear