Re: Disable SSL2 and SSL3 in ssl.el?
>>>> Stephen J Turnbull <stephen(a)xemacs.org> writes:
These days I'd say the odds strongly favor defaulting SSL2/3
*off*.
I'm not ready to remove them, though. TLS 1.0[1] has some known
issues, too, but I don't think we can default that off yet.
This sounds good to me.
I think if you're that worried about security, you shouldn't
being
using Emacsen at all. Half-joking, of course, but really, if
there's real insecurity in your system, [...]
This is not about the security of our machines. It is about securing
the traffic going in and out.
The core support *is* OpenSSL (or nss or gnutls), and they all
support the older protocols. [...]
What I mean is that, at least when it comes to GNUS, it uses the
openssl client through some process interface. I
guessed/thought/dreamed our tls-module would provide some API instead
(which might use the openssl client below the surface for what I know)
and that we should use that in gnus, ssl.el and whatever other places
we use tls/ssl. I haven't looked at it though more than I know we now
have a file called tls.c.
Yours
--
%% Mats
_______________________________________________
XEmacs-Beta mailing list
XEmacs-Beta(a)xemacs.org
http://lists.xemacs.org/mailman/listinfo/xemacs-beta