Disabling SSLv3 for 2.10.10?

[Daniel Atallah]

On Thu, Oct 16, 2014 at 12:29 PM, Jorge Villaseñor <salinasv at gmail.com>
wrote:

> On Thu, Oct 16, 2014 at 8:14 AM, Daniel Atallah <daniel.atallah at gmail.com>
> wrote:
>
>> Folks,
>>
>> In light of the recent POODLE vulnerability, I think it makes sense to
>> disable SSLv3 by default for Pidgin 2.10.10.
>>
>> I've come up with the following patch, which introduces a new hidden pref
>> that can be used to enable SSLv3.
>>
>> We can easily add a UI for it if necessary.
>>
>> I've tested the NSS stuff, and it seems to work well.
>>
>> The one side effect that I'm not super happy about is is that effectively
>> we won't support NSS < 3.14 unless SSLv3 is enabled.
>> Debian squeeze has 3.12.8.
>> RHEL5 has 3.12.10
>>
>> I haven't tested the GNUTLS version (sorry, I haven't even compiled it).
>>
>> Thoughts?
>> -D
>>
>
> Which is the reason we cannot support NSS < 3.14  with SSLv3 disabled?
>

The API to specify TLS/SSL versions the way we do it wasn't added until
3.14.

I looked a bit harder, and I think we can add support for NSS < 3.14 in a
different way:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.14_release_notes

I won't have a chance to implement it until this evening at the earliest
though.


> I would prefer to not have a preference and just disable SSLv3 (so we have
> less code to maintain) but I see that both Debain squeeze and RHEL still
> have a long way to go.
>
> If it is a problem on NSS then Debian and RHEL may need to upgrade the
> library and we can completely drop the SSLv3 support without a preference
> option.
>

I don't think it's a great idea to eliminate SSLv3 entirely at this point,
but I could be convinced :)

-D
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141016/45ae5d75/attachment.html>