Disabling SSLv3 for 2.10.10?

Daniel Atallah daniel.atallah at gmail.com
Thu Oct 16 12:40:38 EDT 2014

On Thu, Oct 16, 2014 at 12:29 PM, Jorge Villaseñor <salinasv at gmail.com>

> On Thu, Oct 16, 2014 at 8:14 AM, Daniel Atallah <daniel.atallah at gmail.com>
> wrote:
>> Folks,
>> In light of the recent POODLE vulnerability, I think it makes sense to
>> disable SSLv3 by default for Pidgin 2.10.10.
>> I've come up with the following patch, which introduces a new hidden pref
>> that can be used to enable SSLv3.
>> We can easily add a UI for it if necessary.
>> I've tested the NSS stuff, and it seems to work well.
>> The one side effect that I'm not super happy about is is that effectively
>> we won't support NSS < 3.14 unless SSLv3 is enabled.
>> Debian squeeze has 3.12.8.
>> RHEL5 has 3.12.10
>> I haven't tested the GNUTLS version (sorry, I haven't even compiled it).
>> Thoughts?
>> -D
> Which is the reason we cannot support NSS < 3.14  with SSLv3 disabled?

The API to specify TLS/SSL versions the way we do it wasn't added until

I looked a bit harder, and I think we can add support for NSS < 3.14 in a
different way:

I won't have a chance to implement it until this evening at the earliest

> I would prefer to not have a preference and just disable SSLv3 (so we have
> less code to maintain) but I see that both Debain squeeze and RHEL still
> have a long way to go.
> If it is a problem on NSS then Debian and RHEL may need to upgrade the
> library and we can completely drop the SSLv3 support without a preference
> option.

I don't think it's a great idea to eliminate SSLv3 entirely at this point,
but I could be convinced :)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141016/45ae5d75/attachment.html>

More information about the security mailing list