Bug 5306 - consider disabling SSL3 in tlstunnel
Summary: consider disabling SSL3 in tlstunnel
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Misc (show other bugs)
Target Milestone: 4.4.0
Assignee: Karl Mikaelsson
Keywords: hean01_tester, relnotes
Depends on:
Reported: 2014-10-15 10:18 CEST by Pierre Ossman
Modified: 2015-03-20 10:30 CET (History)
3 users (show)

See Also:
Acceptance Criteria:


Description Pierre Ossman cendio 2014-10-15 10:18:12 CEST
There is a new MITM attack on SSL3 out called POODLE. This is a design flaw in SSL3 and there doesn't seem to be a way to work around it. So the general recommendation is to start disabling SSL3 everywhere.

Browsers have already started disabling SSL3 on their end so it's probably not a major cause for alarm for ThinLinc users. The main attack vector also seems to be to steal cookies, which we do not use. Still, better safe than sorry and we should prevent users from accidentally using an insecure protocol.

We need to double check that we don't lock out any significant browsers by doing this. Other than that it should just be a matter of changing the GnuTLS configuration.

OpenSSL's brief on the issue:

Comment 2 Karl Mikaelsson cendio 2014-11-27 12:40:23 CET
Time est. includes a stab at letting the admin configure their preferred ciphers.
Comment 3 Karl Mikaelsson cendio 2014-12-18 13:56:40 CET
Committed in revisions 29745, 29746, 29747, 29748, 29749, 29750, 29751.

Tester should...

 - make sure that SSLv3 is disabled in tlstunnel with the
   standard configuration files.

 - make sure that tlstunnel honors the priority string given in
   the configuration files, for example by removing support for
   even newer algorithms.

 - make sure that tlstunnel handles invalid priority strings in
   a graceful way rather than crashing.

 - proof-read the documentation.
Comment 4 Pierre Ossman cendio 2015-03-02 13:42:06 CET
Making the docs now spews a lot of gunk out on your console whilst it is generating gnutls-priorities.xml.
Comment 5 Karl Mikaelsson cendio 2015-03-02 14:09:29 CET
(In reply to comment #4)
> Making the docs now spews a lot of gunk out on your console whilst it is
> generating gnutls-priorities.xml.

Comment 6 Henrik Andersson cendio 2015-03-12 10:47:57 CET
Documentation looks good...
Comment 7 Henrik Andersson cendio 2015-03-13 10:11:48 CET
Verifed with a client setting priority string:


which forces the use of SSLV3.0...

A new installation of nightly build prevents a connection against tlwebaccess and tlwebadm while connecting using the same string against 4.3.0 succeeds.

Note You need to log in before you can comment on or make changes to this bug.