• Dokumentation suggestion SSLIOP allow only TLS ?

    From Andreas Leitgeb@21:1/5 to All on Thu May 24 14:10:02 2018
    This is what http://www.dre.vanderbilt.edu/~schmidt/DOC_ROOT/TAO/docs/Security/SSLIOP-USAGE.html
    currently has to say about -SSLVersionList:
    " Unlike the cipher list option, this takes a list of SSL versions to
    " support. List is a comma separated string containing SSLv23. If
    " -SSLVersionList is not supplied, SSL will support all of these versions.

    Maybe that page could do with some update, suggesting to use "TLSv1.2"
    or at least mentioning it, instead of implying that SSLv23 was kind of
    required to occur in the list.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Johnny Willemsen@21:1/5 to Andreas Leitgeb on Thu May 24 08:02:25 2018
    Hi,

    Please open a pull request with the proposed changes at https://github.com/DOCGroup/ACE_TAO.

    Best regards,

    Johnny Willemsen
    Remedy IT
    http://www.remedy.nl

    On Thursday, May 24, 2018 at 4:10:04 PM UTC+2, Andreas Leitgeb wrote:
    This is what http://www.dre.vanderbilt.edu/~schmidt/DOC_ROOT/TAO/docs/Security/SSLIOP-USAGE.html
    currently has to say about -SSLVersionList:
    " Unlike the cipher list option, this takes a list of SSL versions to
    " support. List is a comma separated string containing SSLv23. If
    " -SSLVersionList is not supplied, SSL will support all of these versions.

    Maybe that page could do with some update, suggesting to use "TLSv1.2"
    or at least mentioning it, instead of implying that SSLv23 was kind of required to occur in the list.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andreas Leitgeb@21:1/5 to Johnny Willemsen on Fri May 25 10:27:04 2018
    I'll likely end up writing such a PR, but for now I'd like to
    get more understanding of what ACE/TAO is aiming at.

    Out of some trial&error I found TLSv1.2 working for me, but that doesn't necessarily work for others, and giving that version specifically won't
    allow for future improved versions. Quite likely, such application config files out-live the particular ACE/TAO version under which it was originally created.

    I'd like some discussion about whether just replacing SSLv23 by TLSv1.2
    in the docs is the right thing, or whether ACE/TAO shouldn't really
    support a black-list rather than a white-list, (or, if it already does,
    to document that.)


    Johnny Willemsen <jwillemsen@remedy.nl> wrote:
    Please open a pull request with the proposed changes at https://github.com/DOCGroup/ACE_TAO.

    On Thursday, May 24, 2018 at 4:10:04 PM UTC+2, Andreas Leitgeb wrote:
    This is what http://www.dre.vanderbilt.edu/~schmidt/DOC_ROOT/TAO/docs/Security/SSLIOP-USAGE.html
    currently has to say about -SSLVersionList:
    " Unlike the cipher list option, this takes a list of SSL versions to
    " support. List is a comma separated string containing SSLv23. If
    " -SSLVersionList is not supplied, SSL will support all of these versions. >>
    Maybe that page could do with some update, suggesting to use "TLSv1.2"
    or at least mentioning it, instead of implying that SSLv23 was kind of
    required to occur in the list.


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)