[PATCH] SSL: don't enable SSLv3 by default
Maxim Dounin
mdounin at mdounin.ru
Thu Oct 30 15:26:11 UTC 2014
Hello!
On Thu, Oct 30, 2014 at 03:05:18PM +0100, Richard Fussenegger wrote:
> The rationale may make sense depending on the priorities, but shouldn't the
> default configuration target generic applications? Generic applications
> don't need compatibility with ancient software (only IE6 on XP actually
> /needs/ SSLv3, don't know about libraries though).
That's excatly the point: the default is for generic case, and in
general there is nothing wrong with supporting SSLv3 as long as
nothing better is available. And there are various clients which
don't support anything better, including IE6 on XP.
The bad thing with POODLE is actually that due to fallback code in
browsers it used to affect modern browsers. This problem goes
away gradually.
> Administrators who need the support can still enable it and make use of
> SCSV. And don't forget that 'modern browser' applies to IE up to 11, FF up
> to 34, Chrome up to ? (couldn't find the exact version) of which actually
> not a single one has SCSV support and they won't get it! Providing
As of now, the problem doesn't affect at least:
- latest versions of Chrome (TLS_FALLBACK_SCSV);
- latest versions of Opera (TLS_FALLBACK_SCSV, anti-POODLE record
splitting);
- latest versions of Safari (no block ciphers over SSLv3);
- latest (upcoming?) versions of Firefox (disabled fallback to
SSLv3);
- upcoming versions of IE (announced plans to disable fallback to
SSLv3).
This basically covers all modern browsers (or at least almost
all). Talking about not updated versions from security point of
view is mostly pointless, as there are multiple security problems
fixed on a regular basis, and not updated means not secure.
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list