[Fixed] Minimum SSL version disagrees with description

Slimjet bug reports
Locked
User avatar
rseilersj
Posts: 33
Joined: Sat May 09, 2015 1:54 pm

[Fixed] Minimum SSL version disagrees with description

Post by rseilersj »

I've seen this in 4.0.2 and 4.0.3, Windows (don't know when it started).

The description reads as follows, which I assume to be correct: "Note: Select SSL 3.0 if you have problem connecting to old servers. Otherwise, leave it at the default value of TLS 1.0 to ensure better security."

However, SSL 3.0 is the default instead of TLS 1.0.

dev
Posts: 761
Joined: Mon Apr 21, 2014 10:30 pm

Re: Minimum SSL version disagrees with description

Post by dev »

It was TLS 1.0 as the default when it first came about due to a security bug/flaw found in chrome but i would imagine its a obsolete setting now as i would have thought chrome or the parties involved would fixed it by now in the latest releases by
disabling SSL 3.0 completely.
viewtopic.php?f=5&t=131 then http://www.slimjet.com/en/whatisnew.php scroll down to version 1.2.9.0 CRITICAL SECURITY UPDATE: Set default SSL minimum to TLS 1.0 as a response to the Poodle bites exploit of SSL 3.0

User avatar
rseilersj
Posts: 33
Joined: Sat May 09, 2015 1:54 pm

Re: Minimum SSL version disagrees with description

Post by rseilersj »

Chrome did end up removing/disabling (for a while you had to use a switch to do it), but Chromium/Blink apparently didn't since if you leave Slimjet at the default of SSL3 and visit this site, it shows that it's alive and kicking:
https://www.ssllabs.com/ssltest/viewMyClient.html

No doubt you're right that most servers have deprecated it, but probably not all considering how many there are. Still, one of the TLS's would probably negotiate before SSL3 ever would, but better safe than sorry.

dev
Posts: 761
Joined: Mon Apr 21, 2014 10:30 pm

Re: Minimum SSL version disagrees with description

Post by dev »

Yes better safe than sorry but I think the ssl settings in slimjet now needs removing as it was patched in chrome/chromium 40/upwards that ssl3 is no longer available where as with slimjet because of that setting it is, so your novice/general users of slimjet are open to the vulnerable of the poodle exploit without knowing any better. Even more so as you have pointed out that the default is ssl3 not tls in their latest releases.
Sometimes its better not to know the devil you know.

User avatar
rseilersj
Posts: 33
Joined: Sat May 09, 2015 1:54 pm

Re: Minimum SSL version disagrees with description

Post by rseilersj »

I think the change in Chrome/Chromium must have just been about it being disabled by default, because it is still possible via:
chrome://flags/#ssl-version-min

They probably left it there for legacy reasons--some old site that only supports SSL3, and maybe also for the uber-secure (those who want to require TLS 1.1 or even 1.2).

Since that same flag works in Slimjet too, maybe, like you say, Slimjet's additional setting can go.

flashpeak
Site Admin
Posts: 362
Joined: Mon Apr 21, 2014 3:57 pm

Re: Minimum SSL version disagrees with description

Post by flashpeak »

There is a display issue of that option here. The default value is actually TLS 1.0 but incorrectly displayed in the option settings. If you have never changed the option manually, you actually gets tls1.. But if you changed to tls 1.0 and change back to sslv3, you will get the real sslv3.

We will fix this in the next build. Thanks for pointing it out.
Stephen Cheng
FlashPeak Inc.

Locked