Re: Disable SSL2 and SSL3 in ssl.el?
>>>> Stephen J Turnbull <stephen(a)xemacs.org> writes:
I don't want to hold anything back. I want to avoid screwing
our
users by removing support for something that (they think) they need.
At the same time we would want to help the users do informed decisions
so that they not by mistake use not secure protocols. So it is a
tradeoff.
I don't care if the default is to not support those protocols,
but a
minimum level of support for XEmacs is a `supported-tls-protocols'
variable (name is up for grabs, of course) which has a choice
customization widget providing the obsolete protocols as options
(along with a warning as big and red as you like in the doc for each
option).
So setting the default to TLS 1.0 and at the same time document how to
customize that to lower levels seems reasonable too me. And in the
cases where it is implemented with openssl I guess the user is anyway
at the mercy of that implementation.
However we also have the problem that not all encrypted traffic passes
through ssl.el. So we would have to see to so that
supported-tls-protocols is respected by all places where encrypted
traffic takes place.
You see, triggered by this thread, I noticed that gnus uses openssl
directly and, as it seems, could even try to use sslv2 in case that
sslv3 does not work. That does not sound good.
I have also been ignorant and not been looking into the tls-support
recently added to the core. So I don't know if that is applicable here
but from the name is sounds like we should start using that and only
fall back to ssl, and other implementations (openssl!?), if the user
requests it!?
Yours
--
%% Mats
_______________________________________________
XEmacs-Beta mailing list
XEmacs-Beta(a)xemacs.org
http://lists.xemacs.org/mailman/listinfo/xemacs-beta