1083762 - Disable SSL 3 in the default NSS configuration around April 2015

Status: RESOLVED DUPLICATE of bug 1140029

(NSS :: Libraries, defect)

Description

[Kai Engert [:KaiE:]]

Given the recent POODLE vulnerability, NSS should no longer suggest to use SSL3 by default.

I'll attach a patch.

Comment 1

[Kai Engert [:KaiE:]]

Attachment: Patch v1

Comment 2

[Martin Thomson [:mt:]]

Comment on attachment 8506113 [details] [diff] [review]
Patch v1

Review of attachment 8506113 [details] [diff] [review]:
-----------------------------------------------------------------

::: lib/ssl/sslsock.c
@@ +93,1 @@
>      SSL_LIBRARY_VERSION_TLS_1_0

Is there any reason we wouldn't bump this to 1.2 on the max at the same time?

Comment 3

[Kai Engert [:KaiE:]]

I'd be OK to also change the default max to 1.2

Given that some applications rely solely on the defaults, it would be a good change to improve security.

The risk is that non-retrying client applications might break, when they talk to intolerant servers. But I'd say, that's bad luck for them, applications should either retry to support a configuration for changing the max used protocol version.

If we could implement bug 1083767 at the same time, we could point users to potentially set an environment variable, if the NSS default change broke their application.

Because of the implications, we might want to decide about the new maximum value in a separate bug. Let's discuss in the weekly conference call.

Comment 4

[Kai Engert [:KaiE:]]

Comment on attachment 8506113 [details] [diff] [review]
Patch v1

Clearing review request. It seems the time hasn't come yet.

Comment 5

[Masatoshi Kimura [:emk]]

Duping forward because the patch bitrotted and bug 1140029 has a reviewed patch.