There is a new MITM attack on SSL3 out called POODLE. This is a design flaw in SSL3 and there doesn't seem to be a way to work around it. So the general recommendation is to start disabling SSL3 everywhere. Browsers have already started disabling SSL3 on their end so it's probably not a major cause for alarm for ThinLinc users. The main attack vector also seems to be to steal cookies, which we do not use. Still, better safe than sorry and we should prevent users from accidentally using an insecure protocol. We need to double check that we don't lock out any significant browsers by doing this. Other than that it should just be a matter of changing the GnuTLS configuration. OpenSSL's brief on the issue: https://www.openssl.org/~bodo/ssl-poodle.pdf
Time est. includes a stab at letting the admin configure their preferred ciphers.
Committed in revisions 29745, 29746, 29747, 29748, 29749, 29750, 29751. Tester should... - make sure that SSLv3 is disabled in tlstunnel with the standard configuration files. - make sure that tlstunnel honors the priority string given in the configuration files, for example by removing support for even newer algorithms. - make sure that tlstunnel handles invalid priority strings in a graceful way rather than crashing. - proof-read the documentation.
Making the docs now spews a lot of gunk out on your console whilst it is generating gnutls-priorities.xml.
(In reply to comment #4) > Making the docs now spews a lot of gunk out on your console whilst it is > generating gnutls-priorities.xml. r30076.
Documentation looks good...
Verifed with a client setting priority string: NORMAL:+VERS-SSL3.0:-VERS-TLS1.2:-VERS-TLS1.1:-VERS-TLS1.0 which forces the use of SSLV3.0... A new installation of nightly build prevents a connection against tlwebaccess and tlwebadm while connecting using the same string against 4.3.0 succeeds.
