Comment 4 for bug 1389264

Revision history for this message
Thomas Ward (teward) wrote :

Further changes and updates. Upstream ZNC has accepted commits to accept SSL protocol configuration to select the protocols you want to support. https://github.com/znc/znc/pull/728/files

This was facilitated by commits to the CSocket program/library that ZNC uses and includes with itself.

The commit contains four git commits:
(1) Update CSocket.
(2) Fix the non-SSL builds
(3) Disable SSL Compression (to mitigate CRIME vulnerability)
(4) Add a configuration option to define SSL protocols that are supported.

I discussed this with mdeslaur. Adding the configuration option to define SSL protocols may be more feasible to include than to outright disable the SSL protocol for SSLv3 on its own. This would also potentially apply as a valid SRU to older releases, thereby making this security issue a null point. To the end that this could be a possible SRU, I'm marking everything as "Confirmed" rather than "Won't Fix", pending a discussion with the SRU team ahead of uploading debdiffs.