Disable SSL v3 protocol and use only TLS 1.0, TLS 1.1, TLS 1.2
problem
According to public XMPP server statistics on http://xmpp.net/reports.php 99% of all XMPP servers support TLS 1.0, please disable old SSL v3
(The server sslv3.s.xnyhps.nl, is special testing server for SSL v3 compatibility)
analysis
TLS 1.0 contains some enhancements over SSL3:
- Expansion of cryptographic keys from the initially exchanged secret was improved
- MAC construction mechanism modified into an HMAC
- Mandatory support for Diffie-Hellman key exchange, the Digital Signature Standard, and Triple-DES encryption
http://seclists.org/basics/2010/Aug/29
enhancement recommendation
This patch contains code to disable SSL v3, the method _startSSL_pyOpenSSL is a bit simplified. The default cipher list is changed to HIGH:!aNULL:RC4-SHA , because the HIGH command disables all null ciphers (therefor !eNULL is not necessary) . You can check the output of
openssl ciphers 'HIGH:!aNULL:RC4-SHA'
openssl ciphers 'HIGH:!aNULL:!eNULL:RC4-SHA'
it's the same list of ciphers
The _dumpX509 method will output SHA2-256 digest of the certificate instead of MD5. MD5 for certificates was broken: http://www.win.tue.nl/hashclash/rogue-ca/