Disabling SSLv3 for 2.10.10?

Daniel Atallah daniel.atallah at gmail.com
Thu Oct 16 11:14:27 EDT 2014


Folks,

In light of the recent POODLE vulnerability, I think it makes sense to
disable SSLv3 by default for Pidgin 2.10.10.

I've come up with the following patch, which introduces a new hidden pref
that can be used to enable SSLv3.

We can easily add a UI for it if necessary.

I've tested the NSS stuff, and it seems to work well.

The one side effect that I'm not super happy about is is that effectively
we won't support NSS < 3.14 unless SSLv3 is enabled.
Debian squeeze has 3.12.8.
RHEL5 has 3.12.10

I haven't tested the GNUTLS version (sorry, I haven't even compiled it).

Thoughts?
-D
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141016/8bbe74ee/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: POODLE.patch
Type: text/x-diff
Size: 6550 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141016/8bbe74ee/attachment-0001.patch>


More information about the security mailing list