online banking with BB&T

Chris Hoefler hoeflerb at gmail.com
Mon Apr 20 10:44:40 EDT 2015 

Actually, there is a preprocessor directive in syncio_tls.c of the
libgwenhywfar library that select between "old" and "new" ssl code. The new
code has a comment that says, "/* TODO: The following does not work with
all servers, disabled for now  */". It's not completely clear to me what
this means as it looks like fairly generic handshake code to me, but maybe
there are other buggy servers out there that it doesn't work for.

The best thing is to probably try to work with the upstream developers to
get the lingering issues worked out so that the new code can be enabled. I
don't know how to do this because everything is in German, including the
only Bugzilla tracker I was able to find. The new code introduces several
environment variables to control the handshake. It would be nice if these
could be properly placed in config files and/or passed through the UI, but
I don't know if that is a change that can easily happen.

Absent that possibility, the patch is trivial and can probably be
maintained separately as long as it doesn't result in breakage on other
servers. I've attached the patch for anyone interested and I'll document on
the wiki when I get a chance. We would have to work with the .deb and .rpm
package maintainers to get the patch accepted into the linux repositories.

It would be great if everybody would just upgrade their servers, but these
banks are using some kind of EnterpriseFTX system. It seems they are good
at patching vulnerabilities, but a bit slow in upgrading to new protocols.
The old ssl code actually supports SSLv3, which should be disabled anyway.

On Mon, Apr 20, 2015 at 5:26 AM, Russell <gonsalves1 at gmail.com> wrote:

> I do appreciate this issue being considered.  I'll be more than happy to
> take
> a [user must set for that institution] checkbox in the advanced settings
> dialog to force the use of TLS 1.0.  Of course, with this option, it will
> not be clear to the average end user that this would need to be set to work
> with an institution like BB&T.
>
>
>
> --
> View this message in context:
> http://gnucash.1415818.n4.nabble.com/online-banking-with-BB-T-tp4677811p4677887.html
> Sent from the GnuCash - User mailing list archive at Nabble.com.
> _______________________________________________
> gnucash-user mailing list
> gnucash-user at gnucash.org
> https://lists.gnucash.org/mailman/listinfo/gnucash-user
> -----
> Please remember to CC this list on all your replies.
> You can do this by using Reply-To-List or Reply-All.
>



-- 
Chris Hoefler, PhD
Postdoctoral Research Associate
Straight Lab
Texas A&M University
2128 TAMU
College Station, TX 77843-2128
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch_addnewssl
Type: application/octet-stream
Size: 1141 bytes
Desc: not available
URL: <http://lists.gnucash.org/pipermail/gnucash-user/attachments/20150420/45b1d787/attachment.obj>

More information about the gnucash-user mailing list