[PATCH] SSL: don't enable SSLv3 by default

Richard Fussenegger richard at fussenegger.info
Thu Oct 30 15:30:46 UTC 2014


On 10/30/2014 4:26 PM, Maxim Dounin wrote:
> And there are various clients which
> don't support anything better, including IE6 on XP.
> [...]
> Talking about not updated versions from security point of
> view is mostly pointless, as there are multiple security problems
> fixed on a regular basis, and not updated means not secure.

Well, that's actually my point. Those old libraries and clients 
shouldn't be supported since they are, well, old. Like the old versions 
of the others.

Also note that SSLv3's RFC has status HISTORIC. The guys over at the 
IETF TLS list are talking about deprecating it, but some parties argue 
that the HISTORIC status is equivalent to deprecation.

Richard

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20141030/6fbd241b/attachment-0001.bin>


More information about the nginx-devel mailing list