Closed Bug 593080 Opened 15 years ago Closed 14 years ago

Change the default of the SSL_ENABLE_SSL2 option to PR_FALSE

Categories

(NSS :: Libraries, defect, P1)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: wtc, Assigned: wtc)

Details

Attachments

(1 file)

The default value of the SSL_ENABLE_SSL2 option is PR_TRUE: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ssl/sslsock.c&rev=1.68&mark=165,172#165 I propose we change the default to PR_FALSE. I'd like to make this change on the NSS trunk (NSS 3.13) first.
This is a break in backwards compatibility. It is not the only such change I would make. I would also enable many SSL3/TLS cipher suites by default. I wonder if we should declare this to be NSS 4.0 to make these changes.
Attached patch Proposed patchSplinter Review
Bob: the patch is simple, but please evaluate the implications (shown by the changes to the NSS SSL test programs) carefully. While writing this patch, I discovered three issues. 1. The default of the closely-related option SSL_V2_COMPATIBLE_HELLO also needs to be changed to be consistent. 2. strsclnt relies on the facts that SSL_ENABLE_SSL2 is default on, and that turning off SSL_V2_COMPATIBLE_HELLO also turns off SSL_ENABLE_SSL2, so it calls SSL_OptionSet on SSL_V2_COMPATIBLE_HELLO only. In the new world, that call won't be able to turn on SSL_ENABLE_SSL2. I changed it to also call SSL_OptionSet on SSL_ENABLE_SSL2. 3. All of the three SSL test programs turn on SSL 2.0 by default and provide a command-line option to disable SSL 2.0. I didn't change that because it is confusing to change the meaning of those command-line options.
Attachment #565316 - Flags: review?(rrelyea)
Priority: P2 → P1
Comment on attachment 565316 [details] [diff] [review] Proposed patch r+ If we have a problem with this, we'll probably add an environment variable to tweek this, but for now I think this patch is fine. Any app that has explicit controls can still turn things on if they want. bob
Attachment #565316 - Flags: review?(rrelyea) → review+
Patch checked in on the NSS trunk (NSS 3.13). Checking in cmd/strsclnt/strsclnt.c; /cvsroot/mozilla/security/nss/cmd/strsclnt/strsclnt.c,v <-- strsclnt.c new revision: 1.70; previous revision: 1.69 done Checking in cmd/tstclnt/tstclnt.c; /cvsroot/mozilla/security/nss/cmd/tstclnt/tstclnt.c,v <-- tstclnt.c new revision: 1.64; previous revision: 1.63 done Checking in lib/ssl/ssl.h; /cvsroot/mozilla/security/nss/lib/ssl/ssl.h,v <-- ssl.h new revision: 1.44; previous revision: 1.43 done Checking in lib/ssl/sslsock.c; /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v <-- sslsock.c new revision: 1.74; previous revision: 1.73 done
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: