Disable SSL versions using environment variables

NEW
Unassigned

Status

4 years ago
2 years ago

People

(Reporter: kaie, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
Many applications use hardcoded calls to configure the enabled SSL/TLS versions.

In emergency situations like POODLE, it might be helpful to have the ability to override the behaviour of legacy applications that cannot be changed immediately.

This suggests to implement support for a new environment variable, which could be used to disable given SSL protocol versions, regardless of application calls.

(E.g. NSS_SSL_DISABLE_PROTOCOLS="SSL3:TLS1.0")

Comment 1

4 years ago
(In reply to Kai Engert (:kaie) from comment #0)
> Many applications use hardcoded calls to configure the enabled SSL/TLS
> versions.
> 
> In emergency situations like POODLE, it might be helpful to have the ability
> to override the behaviour of legacy applications that cannot be changed
> immediately.
> 
> This suggests to implement support for a new environment variable, which
> could be used to disable given SSL protocol versions, regardless of
> application calls.
> 
> (E.g. NSS_SSL_DISABLE_PROTOCOLS="SSL3:TLS1.0")

Might there be a way to coordinate this with other TLS libraries (most notably OpenSSL), so that users of clients of multiple libraries won't have to waste their environment space on environment-based configurations for every library their software installations use?

This happens to be a global emergency across all library vendors, not limited solely to NSS.
Kai, is this now superceded by the work that Nikos did on implementing system-wide policies?
Flags: needinfo?(kaie)
(Reporter)

Comment 3

2 years ago
(In reply to Martin Thomson [:mt:] from comment #2)
> Kai, is this now superceded by the work that Nikos did on implementing
> system-wide policies?

On Fedora Linux, the answer is yes, because I can see that the policy rules include a rule to define the minimum version of TLS allowed.

The remaining question is, is anyone interested in a more general solution, that would work in all environments where NSS might be used?
Flags: needinfo?(kaie)
You need to log in before you can comment on or make changes to this bug.