Bugzilla – Bug 5306
consider disabling SSL3 in tlstunnel
Last modified: 2015-03-20 10:30:06
You need to
before you can comment on or make changes to this bug.
There is a new MITM attack on SSL3 out called POODLE. This is a design flaw in
SSL3 and there doesn't seem to be a way to work around it. So the general
recommendation is to start disabling SSL3 everywhere.
Browsers have already started disabling SSL3 on their end so it's probably not
a major cause for alarm for ThinLinc users. The main attack vector also seems
to be to steal cookies, which we do not use. Still, better safe than sorry and
we should prevent users from accidentally using an insecure protocol.
We need to double check that we don't lock out any significant browsers by
doing this. Other than that it should just be a matter of changing the GnuTLS
OpenSSL's brief on the issue:
Time est. includes a stab at letting the admin configure their preferred
Committed in revisions 29745, 29746, 29747, 29748, 29749, 29750, 29751.
- make sure that SSLv3 is disabled in tlstunnel with the
standard configuration files.
- make sure that tlstunnel honors the priority string given in
the configuration files, for example by removing support for
even newer algorithms.
- make sure that tlstunnel handles invalid priority strings in
a graceful way rather than crashing.
- proof-read the documentation.
Making the docs now spews a lot of gunk out on your console whilst it is
(In reply to comment #4)
> Making the docs now spews a lot of gunk out on your console whilst it is
> generating gnutls-priorities.xml.
Documentation looks good...
Verifed with a client setting priority string:
which forces the use of SSLV3.0...
A new installation of nightly build prevents a connection against tlwebaccess
and tlwebadm while connecting using the same string against 4.3.0 succeeds.