[asterisk-bugs] [JIRA] (ASTERISK-24425) [patch] jabber/xmpp to use TLS instead of SSLv3, security fix POODLE (CVE-2014-3566)
opsmonitor (JIRA)
noreply at issues.asterisk.org
Sat Oct 18 13:25:29 CDT 2014
[ https://issues.asterisk.org/jira/browse/ASTERISK-24425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=223066#comment-223066 ]
opsmonitor commented on ASTERISK-24425:
---------------------------------------
You patch saved the day. After looking for an possible jabber server problem, or openssl version issue after a yum update, I was suspecting asterisk and found this patch to be working fine.
Environment:
Centos 7
kernel 2.6.32-431.29.2.el6.x86_64 #1 SMP
openssl-1.0.1e-30.el6_5.2.x86_64
openssl-devel-1.0.1e-30.el6_5.2.x86_64
> [patch] jabber/xmpp to use TLS instead of SSLv3, security fix POODLE (CVE-2014-3566)
> ------------------------------------------------------------------------------------
>
> Key: ASTERISK-24425
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-24425
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Resources/res_jabber, Resources/res_xmpp
> Affects Versions: SVN, 1.8.31.0, 11.13.0
> Environment: AstLinux with Prosody 0.9.6
> Reporter: abelbeck
> Attachments: asterisk-11-jabber-xmpp-tls.patch, asterisk-1.8-jabber-tls.patch
>
>
> Asterisk's Jabber and XMPP implementations strictly use SSLv3, which has the POODLE (CVE-2014-3566) security issue.
> The attached patches force a TLS method instead of SSLv3.
> Full disclosure, this is my first forte into OpenSSL specifics and my knowledge is all from online research. There may be a better way.
> This works in my limited testing.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list