Re: Disable SSL2 and SSL3 in ssl.el?
Hi Stephen, xemacs-beta,
On Sun, Nov 23, 2014 at 2:31 PM, Stephen J. Turnbull <stephen(a)xemacs.org> wrote:
Johann 'Myrkraverk' Oskarsson writes:
Again, not really the interesting information. What is interesting
is
which sites still speak only obsolete versions of SSL and versions of
TLS that are considered vulnerable, and whether our users need to
access those sites.
> SSL3 is almost 18 years old, and the world is moving on. Why do you
> want to hold ssl.el back?
I don't want to hold anything back. I want to avoid screwing our
users by removing support for something that (they think) they need.
So, how does changing ssl.el screw our users? For completeness, I did
the following experiment:
1) Configure a web server to server only ssl3.
2) Visit the site with emacs-w3m.
3) Customize ssl-program-argumens and add -no_ssl2 and -no_ss3.
4) Visit the site with emacs-w3m.
Bottom line, emacs-w3m does not use ssl.el. What browser uses it?
w3? That's officially been defunct since 2003. eww? Does that even
work in xemacs?
I don't care if the default is to not support those protocols,
but a
minimum level of support for XEmacs is a `supported-tls-protocols'
variable (name is up for grabs, of course) which has a choice
customization widget providing the obsolete protocols as options
(along with a warning as big and red as you like in the doc for each
option).
That's sort of reasonable, but who is going to do that?
In the mean time, adding -no_ssl2 and -no_ss3 as defaults is trivial
and protects the regular Joe who uses, say, erc.
Johann
_______________________________________________
XEmacs-Beta mailing list
XEmacs-Beta(a)xemacs.org
http://lists.xemacs.org/mailman/listinfo/xemacs-beta