git:master: tls: note that SSLv3 should not be used if high security is needed - sr-dev

21 Oct 2014

Module: sip-router
Branch: master
Commit: 5fe0d14745303c61d3fafe9decbb735d5424a442
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=5fe0d147...
Author: Daniel-Constantin Mierla miconda@gmail.com
Committer: Daniel-Constantin Mierla miconda@gmail.com
Date:   Tue Oct 21 16:32:26 2014 +0200
tls: note that SSLv3 should not be used if high security is needed
- the note was already for SSLv2
---
modules/tls/README         |    6 ++++--
 modules/tls/doc/params.xml |    4 +++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/modules/tls/README b/modules/tls/README
index 09be2bf..713a65e 100644
--- a/modules/tls/README
+++ b/modules/tls/README
@@ -508,7 +508,8 @@ Revoking a certificate and using a CRL
        with openssl/libssl v1.0.1)
      * TLSv1 - only TLSv1 connections are accepted. This is the default
        value.
-     * SSLv3 - only SSLv3 connections are accepted
+     * SSLv3 - only SSLv3 connections are accepted. Note: you shouldn't
+       use SSLv3 for anything which should be highly secure.
      * SSLv2 - only SSLv2 connections, for old clients. Note: you
        shouldn't use SSLv2 for anything which should be highly secure.
        Newer versions of libssl don't include support for it anymore.
@@ -517,7 +518,8 @@ Revoking a certificate and using a CRL
        message must be V2 (in the initial hello all the supported
        protocols are advertised enabling switching to a higher and more
        secure version). This means connections from SSLv3 or TLSv1 clients
-       will be accepted.
+       will be accepted. Note: you shouldn't use SSLv2 or SSLv3 for
+       anything which should be highly secure.
If rfc3261 conformance is desired, TLSv1 must be used. For
    compatibility with older clients SSLv23 is a good option.
diff --git a/modules/tls/doc/params.xml b/modules/tls/doc/params.xml
index 46de16f..a6e5808 100644
--- a/modules/tls/doc/params.xml
+++ b/modules/tls/doc/params.xml
@@ -39,7 +39,8 @@
    		</listitem>
    		<listitem>
    			<para>
-				<emphasis>SSLv3</emphasis> - only SSLv3 connections are accepted
+				<emphasis>SSLv3</emphasis> - only SSLv3 connections are accepted.
+				Note: you shouldn't use SSLv3 for anything which should be highly secure.
    			</para>
    		</listitem>
    		<listitem>
@@ -56,6 +57,7 @@
    			message must be V2 (in the initial hello all the supported protocols
    			are advertised enabling switching to a higher and more secure version).
    			This means connections from SSLv3 or TLSv1 clients will be accepted.
+				Note: you shouldn't use SSLv2 or SSLv3 for anything which should be highly secure.
    			</para>
    		</listitem>
    </itemizedlist>

    