On Friday 17 October 2014 16:40:46 Daniel Stenberg wrote:
> On Fri, 17 Oct 2014, Florian Weimer wrote:
> > Do you consider the fallback logic in the NSS code a security
> > vulnerability? Then it might make sense to release its removal as a
> > separate security fix, and not include the SSL 3.0 removal, to minimize
> > the compatibility impact.
> I don't. The POODLE attack doesn't work on anything that uses libcurl from
> what I've seen[1], so all our talk and discussions about disabling SSLv3 and
> removing the fallback logic in NSS are only extra precautions because they
> are involved in the POODLE attack and thus indicate areas that involve
> problems and weak security.
>
> [1] = http://daniel.haxx.se/blog/2014/10/17/curl-is-no-poodle/

Is the plan to disable SSL 3.0 by default still valid?

Are we going to make the change before the upcoming release?

Should I unimplement the fallback to SSL 3.0 in the NSS backend now, or wait
till Ray's patch appears upstream?

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-10-24