Re: Disable SSL2 and SSL3 in ssl.el?
On Fri, 21 Nov 2014 02:32:42 +0000
"Johann 'Myrkraverk' Oskarsson"
<myrkraverk(a)users.sourceforge.net>
wrote:
Hi all,
I'm sure you're all aware of the recent security flaws exposed with
SSL3.
Therefore I have to ask, should we disable SSL2 and SSL3 support in
ssl.el?
A little bit of reading shows that we can probably do this by adding
-no_ssl2 and -no_ssl3 to the ssl-program-arguments in ssl.el. I have
not tested it yet.
Are there other SSL interfaces exposed on the lisp level?
Disabling ssl2 is probably a good idea. It is very obsolete now and (I
assume) somebody who really needs it can enable it.
ssl3 is a bit more iffy. IMHO the poodle attack is overblown since the
attacker also needs a man in the middle attack. It also looks like they
need a connection for every byte which is easy to look for and rate
limit with any good firewall.
On the other hand, most clients support TLS now. So if it is easy to
re-enable it I don't see a huge problem.
In short, if it is easy to re-enable them then my gut reaction is that
disabling them would be a good idea.
Cheers,
Sean
_______________________________________________
XEmacs-Beta mailing list
XEmacs-Beta(a)xemacs.org
http://lists.xemacs.org/mailman/listinfo/xemacs-beta