[PATCH] SSL: don't enable SSLv3 by default

Maxim Dounin mdounin at mdounin.ru
Thu Oct 30 13:47:35 UTC 2014


On Wed, Oct 29, 2014 at 09:17:04PM -0700, Piotr Sikora wrote:

> # HG changeset patch
> # User Piotr Sikora <piotr at cloudflare.com>
> # Date 1414642398 25200
> #      Wed Oct 29 21:13:18 2014 -0700
> # Node ID bf17486e5d30574b870926b76c1d6f421e4def75
> # Parent  87ada3ba1392fadaf4d9193b5d345c248be32f77
> SSL: don't enable SSLv3 by default.

This was discussed excessively both in the office here and 
in Russian mailing list a while ago, and consensus is that we are 
not changing the default for now.

Rationale is as follows:

- SSLv3 is still important from compatibility point of view, there 
  are various clients which doesn't support (or enable by default) 
  anything better;

- Mitigation for POODLE is already good and improving, including 
  fallback protection via TLS_FALLBACK_SCSV and anti-POODLE record 
  splitting; so, basically, modern browsers are not affected.

Maxim Dounin

More information about the nginx-devel mailing list