On 2014-11-19 09:58, Nikos Mavrogiannopoulos wrote:
With that in mind, does it make sense to update the policies to
remove
SSL 3.0, or should we wait until F22?
In Mozilla's infrastructure, our recommendation is to disable SSLv3 by
default everywhere, and only enable it when the service explicitly needs
backward compatibility with very old clients.
In our guidelines, the default level 'intermediate' disables SSLv3.
https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
We found that a small number of services need backward compatibility:
* mozilla.org, because we still see traffic coming from Windows XP
pre-sp3
* supporting sites of mozilla.org for the same reason
* irc.mozilla.org, because of very old IRC clients
These follow the 'old' configuration guidelines, which enables SSLv3.
My experience is that no service needs SSLv3 by default. If a service
needs SSLv3, operators should be able to detect it, and configure it.
Having logs that indicate a handshake failure because the client did not
support the required protocols is a great help to operators.
- Julien
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security
