Disabling SSLv3 for 2.10.10?

Jorge Villaseñor salinasv at gmail.com
Thu Oct 16 12:29:35 EDT 2014


On Thu, Oct 16, 2014 at 8:14 AM, Daniel Atallah <daniel.atallah at gmail.com>
wrote:

> Folks,
>
> In light of the recent POODLE vulnerability, I think it makes sense to
> disable SSLv3 by default for Pidgin 2.10.10.
>
> I've come up with the following patch, which introduces a new hidden pref
> that can be used to enable SSLv3.
>
> We can easily add a UI for it if necessary.
>
> I've tested the NSS stuff, and it seems to work well.
>
> The one side effect that I'm not super happy about is is that effectively
> we won't support NSS < 3.14 unless SSLv3 is enabled.
> Debian squeeze has 3.12.8.
> RHEL5 has 3.12.10
>
> I haven't tested the GNUTLS version (sorry, I haven't even compiled it).
>
> Thoughts?
> -D
>

Which is the reason we cannot support NSS < 3.14  with SSLv3 disabled?

I would prefer to not have a preference and just disable SSLv3 (so we have
less code to maintain) but I see that both Debain squeeze and RHEL still
have a long way to go.

If it is a problem on NSS then Debian and RHEL may need to upgrade the
library and we can completely drop the SSLv3 support without a preference
option.

-- 
Masca

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing on usenet and in e-mail?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141016/51adfd85/attachment.html>


More information about the security mailing list