[PATCH] SSL: don't enable SSLv3 by default
mdounin at mdounin.ru
Thu Oct 30 13:47:35 UTC 2014
On Wed, Oct 29, 2014 at 09:17:04PM -0700, Piotr Sikora wrote:
> # HG changeset patch
> # User Piotr Sikora <piotr at cloudflare.com>
> # Date 1414642398 25200
> # Wed Oct 29 21:13:18 2014 -0700
> # Node ID bf17486e5d30574b870926b76c1d6f421e4def75
> # Parent 87ada3ba1392fadaf4d9193b5d345c248be32f77
> SSL: don't enable SSLv3 by default.
This was discussed excessively both in the office here and
in Russian mailing list a while ago, and consensus is that we are
not changing the default for now.
Rationale is as follows:
- SSLv3 is still important from compatibility point of view, there
are various clients which doesn't support (or enable by default)
- Mitigation for POODLE is already good and improving, including
fallback protection via TLS_FALLBACK_SCSV and anti-POODLE record
splitting; so, basically, modern browsers are not affected.
More information about the nginx-devel