[PATCH] SSL: don't enable SSLv3 by default

Richard Fussenegger richard at fussenegger.info
Thu Oct 30 14:05:18 UTC 2014


The rationale may make sense depending on the priorities, but shouldn't 
the default configuration target generic applications? Generic 
applications don't need compatibility with ancient software (only IE6 on 
XP actually /needs/ SSLv3, don't know about libraries though).

Administrators who need the support can still enable it and make use of 
SCSV. And don't forget that 'modern browser' applies to IE up to 11, FF 
up to 34, Chrome up to ? (couldn't find the exact version) of which 
actually not a single one has SCSV support and they won't get it! 
Providing compatibility for ancient out-of-life software and supporting 
a serious vulnerability for widely used (some ESR) software seems a bit 
dangerous to me.

The default configuration should protect the /wanna-be/ administrators. 
All others will most likely tune their config no matter what is supplied.

Best,
Richard

On 10/30/2014 2:47 PM, Maxim Dounin wrote:
> Hello!
>
> On Wed, Oct 29, 2014 at 09:17:04PM -0700, Piotr Sikora wrote:
>
>> # HG changeset patch
>> # User Piotr Sikora <piotr at cloudflare.com>
>> # Date 1414642398 25200
>> #      Wed Oct 29 21:13:18 2014 -0700
>> # Node ID bf17486e5d30574b870926b76c1d6f421e4def75
>> # Parent  87ada3ba1392fadaf4d9193b5d345c248be32f77
>> SSL: don't enable SSLv3 by default.
> This was discussed excessively both in the office here and
> in Russian mailing list a while ago, and consensus is that we are
> not changing the default for now.
>
> Rationale is as follows:
>
> - SSLv3 is still important from compatibility point of view, there
>    are various clients which doesn't support (or enable by default)
>    anything better;
>
> - Mitigation for POODLE is already good and improving, including
>    fallback protection via TLS_FALLBACK_SCSV and anti-POODLE record
>    splitting; so, basically, modern browsers are not affected.
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20141030/1f3d14e7/attachment.bin>


More information about the nginx-devel mailing list