On Wed, 2014-11-19 at 11:19 -0500, Eric H. Christensen wrote: > On Wed, Nov 19, 2014 at 03:58:36PM +0100, Nikos Mavrogiannopoulos wrote: > > Hello, > > Eric Christensen proposed removing SSL 3.0 from the DEFAULT crypto > > policy in F21, due to the POODLE attack. I experimented a bit, and > > noticed (again) that openssl cannot set the supported versions via a > > cipher string, and since NSS is still work in progress, it would > > actually mean that this setting would only apply to gnutls. Also Tomas > > Mraz noticed quite few mail clients that still use SSL 3.0 only, meaning > > SSL 3.0 is not completely dead yet and may cause compatibility issues > > for Fedora servers that use these strings. > > You can't disable SSLv3 in OpenSSL why? AFAIK that functionality has been available for a while. The only disable SSL 3.0 in openssl is via the SSL_OP_NO_SSLv3 flag which cannot be set via a cipher string, and that is the only factor crypto-policies can control. A way to fix that is by adding a new cipher string for that. If no-one adds that, we plan to propose such a patch once our patches for custom cipher strings are accepted. regards, Nikos [0]. https://github.com/openssl/openssl/pull/192 https://github.com/openssl/openssl/pull/193 -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
