Disabling SSLv3 for 2.10.10?
daniel.atallah at gmail.com
Thu Oct 16 12:40:38 EDT 2014
On Thu, Oct 16, 2014 at 12:29 PM, Jorge Villaseñor <salinasv at gmail.com>
> On Thu, Oct 16, 2014 at 8:14 AM, Daniel Atallah <daniel.atallah at gmail.com>
>> In light of the recent POODLE vulnerability, I think it makes sense to
>> disable SSLv3 by default for Pidgin 2.10.10.
>> I've come up with the following patch, which introduces a new hidden pref
>> that can be used to enable SSLv3.
>> We can easily add a UI for it if necessary.
>> I've tested the NSS stuff, and it seems to work well.
>> The one side effect that I'm not super happy about is is that effectively
>> we won't support NSS < 3.14 unless SSLv3 is enabled.
>> Debian squeeze has 3.12.8.
>> RHEL5 has 3.12.10
>> I haven't tested the GNUTLS version (sorry, I haven't even compiled it).
> Which is the reason we cannot support NSS < 3.14 with SSLv3 disabled?
The API to specify TLS/SSL versions the way we do it wasn't added until
I looked a bit harder, and I think we can add support for NSS < 3.14 in a
I won't have a chance to implement it until this evening at the earliest
> I would prefer to not have a preference and just disable SSLv3 (so we have
> less code to maintain) but I see that both Debain squeeze and RHEL still
> have a long way to go.
> If it is a problem on NSS then Debian and RHEL may need to upgrade the
> library and we can completely drop the SSLv3 support without a preference
I don't think it's a great idea to eliminate SSLv3 entirely at this point,
but I could be convinced :)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the security