Disabling SSLv3 for 2.10.10?
salinasv at gmail.com
Thu Oct 16 12:29:35 EDT 2014
On Thu, Oct 16, 2014 at 8:14 AM, Daniel Atallah <daniel.atallah at gmail.com>
> In light of the recent POODLE vulnerability, I think it makes sense to
> disable SSLv3 by default for Pidgin 2.10.10.
> I've come up with the following patch, which introduces a new hidden pref
> that can be used to enable SSLv3.
> We can easily add a UI for it if necessary.
> I've tested the NSS stuff, and it seems to work well.
> The one side effect that I'm not super happy about is is that effectively
> we won't support NSS < 3.14 unless SSLv3 is enabled.
> Debian squeeze has 3.12.8.
> RHEL5 has 3.12.10
> I haven't tested the GNUTLS version (sorry, I haven't even compiled it).
Which is the reason we cannot support NSS < 3.14 with SSLv3 disabled?
I would prefer to not have a preference and just disable SSLv3 (so we have
less code to maintain) but I see that both Debain squeeze and RHEL still
have a long way to go.
If it is a problem on NSS then Debian and RHEL may need to upgrade the
library and we can completely drop the SSLv3 support without a preference
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Q: What is the most annoying thing on usenet and in e-mail?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the security