Re: [tor-bugs] #4822 [Tor Client]: Avoid vulnerability CVE-2011-4576 : Disable SSL3?

["Tor Bug Tracker & Wiki" <torproject-admin@xxxxxxxxxxxxxx>]

#4822: Avoid vulnerability CVE-2011-4576 : Disable SSL3?
------------------------+---------------------------------------------------
 Reporter:  nickm       |          Owner:                    
     Type:  defect      |         Status:  needs_review      
 Priority:  critical    |      Milestone:  Tor: 0.2.1.x-final
Component:  Tor Client  |        Version:                    
 Keywords:              |         Parent:                    
   Points:              |   Actualpoints:                    
------------------------+---------------------------------------------------

Comment(by rransom):

 Replying to [comment:22 nickm]:
 > For logging version numbers, prefer OPENSSL_VERSION_TEXT

 OK.

 > and SSLeay_version(SSLEAY_VERSION), I think.

 No.
 {{{
 char *SSLeay_version(t)
 int t;
         {
         if (t == SSLEAY_VERSION)
                 return("SSLeay 0.9.1a 06-Jul-1998");
 }}}

 That is impressively bogus.

 > And a better message would be IMO "Disabling SSLv3 because this OpenSSL
 version might otherwise be vulnerable to CVE-foo." In other words, make it
 clear that this is a problem that stems from the openssl version, and that
 disabling SSLv3 will solve the problem if it exists.

 OK.

 > This could be at NOTICE, I think.  But I'm not sure it has to be. Others
 can decide.

 Currently we emit the log message whenever we disable SSLv3 for some TLS
 context, which we do at least once on every SIGHUP.  Do you still think we
 should emit this at notice level?  If so, should we try to emit it less
 often?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4822#comment:23>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs