Created attachment 404614 [details] ${FILESDIR}/proxytunnel-allowTLS.patch Apache 2.4 by default disables SSLv3: # Don't use SSLv2 anymore as it's considered to be broken security-wise. # Also disable SSLv3 as most modern browsers are capable of TLS. SSLProtocol ALL -SSLv2 -SSLv3 So this patch enables TLS. I posted the patch upstream over a month ago (https://github.com/proxytunnel/proxytunnel/pull/9) but upstream activity is low and it hasn't been merged or commented on (yet). From https://www.openssl.org/docs/ssl/SSL_CTX_new.html: SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void) A TLS/SSL connection established with these methods may understand the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. If extensions are required (for example server name) a client will send out TLSv1 client hello messages including extensions and will indicate that it also understands TLSv1.1, TLSv1.2 and permits a fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. This is the best choice when compatibility is a concern.
Created attachment 404616 [details, diff] proxytunnel-1.9.1-r1.ebuild (patch to -1.9.1.ebuild)
In your patch, you replaced SSLv3_client_method() with SSLv23_client_method(). Is this what you intended? Shouldn't this be TLS_client_method() instead? From the documentation: > SLv3_method(void), SSLv3_server_method(void), SSLv3_client_method(void) > > A TLS/SSL connection established with these methods will only understand the SSLv3 protocol. A client will send out SSLv3 client hello messages and will indicate that it only understands SSLv3. A server will only understand SSLv3 client hello messages. > > TLS_method(void), TLS_server_method(void), TLS_client_method(void) > > A TLS/SSL connection established with these methods may understand the SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. > > If extensions are required (for example server name) a client will send out TLSv1 client hello messages including extensions and will indicate that it also understands TLSv1.1, TLSv1.2 and permits a fallback to SSLv3. A server will support SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols. This is the best choice when compatibility is a concern. > SSLv23_method(void), SSLv23_server_method(void), SSLv23_client_method(void) > > Use of these functions is deprecated. They have been replaced with TLS_Method(), TLS_server_method() and TLS_client_method() respectively. New code should use those functions instead. >
(In reply to Vikraman from comment #2) > In your patch, you replaced SSLv3_client_method() with > SSLv23_client_method(). Is this what you intended? Shouldn't this be > TLS_client_method() instead? It's.... complicated. TLS_client_method() which you mention only appears in openssl 1.1.0. (per https://www.openssl.org/docs/ssl/SSL_CTX_new.html, section HISTORY). That version, not in Portage yet, will also deprecate SSLv23_client_method(). Current OpenSSL version on Gentoo is < 1.1.0. For docs on SSLv23_client_method(), see `man 3 SSL_CTX_new`. This appears to be the way to negotiate TLSv1.1 and TLSv1.2 on openssl-1.0. For security the actual SSLv2 cipher suites should be disabled (and they are, at least in recent Apache configs). For proxytunnel itself it does not matter much securitywise, as the payload is encrypted SSH traffic anyway (as such, proxytunnel doesn't even bother to check the certificate chain).
Upstream merged this, see: https://github.com/proxytunnel/proxytunnel/pull/9
*proxytunnel-1.9.1-r1 (08 Jul 2015) 08 Jul 2015; Vikraman Choudhury (vikraman) <vikraman@gentoo.org> +files/proxytunnel-allowTLS.patch, +proxytunnel-1.9.1-r1.ebuild, -proxytunnel-1.9.0.ebuild, -proxytunnel-1.9.1.ebuild: Add patch to enable TLS. Fixes bug 551278. Drop old.
