[PATCH] SSL: don't enable SSLv3 by default

Piotr Sikora piotr at cloudflare.com
Thu Oct 30 23:33:09 UTC 2014

Hey Maxim,

> - SSLv3 is still important from compatibility point of view, there
>   are various clients which doesn't support (or enable by default)
>   anything better;

But is it, really?

All major browsers (Chrome [1], Firefox [2], IE [3], Opera [4]) either
already disabled SSLv3 or are about to do it.

Huge chunk of websites (>42% of Alexa's top 10.000 [5]) requires at
least TLSv1.0, including major properties like Facebook, Twitter [6],
Wikipedia [7] and websites that are using one of the popular CDNs
(CloudFlare [8], Akamai [9], MaxCDN [10], Fastly [11]).

OpenBSD and LibreSSL disabled SSLv3 by default [12].

Furthermore, when we disabled SSLv3 across our network [8] and gave
website owners the ability to opt-in back to it... less than 0.001%
did re-enable it.

Hopefully that list is long enough to convince you that SSLv3 is not
really important... Definitely not important enough to be enabled by
default, because that's what the commit changes, people can still
enable SSLv3 in the conf if they really need to.

[1] https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/Vnhy9aKM_l4
[2] https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
[3] http://azure.microsoft.com/blog/2014/10/29/protecting-against-the-ssl-3-0-vulnerability/
[4] http://blogs.opera.com/security/2014/10/security-changes-opera-25-poodle-attacks/
[5] https://8ack.de/ssl/
[6] https://twitter.com/twittersecurity/status/522190947782643712
[7] https://blog.wikimedia.org/2014/10/17/protecting-users-against-poodle-by-removing-ssl-3-0-support/
[8] https://blog.cloudflare.com/sslv3-support-disabled-by-default-due-to-vulnerability/
[9] https://blogs.akamai.com/2014/10/poodle-faq-what-akamai-customers-need-to-know.html
[10] https://www.maxcdn.com/blog/delivery-sslv3-disabled/
[11] http://www.fastly.com/blog/fastly-update-POODLE/
[12] http://marc.info/?l=openbsd-cvs&m=141339479327258&w=2

Best regards,
Piotr Sikora

More information about the nginx-devel mailing list