On Thu, 2014-11-20 at 13:39 +0100, Hubert Kario wrote: > > > > With that in mind, does it make sense to update the policies to > > > > remove > > > > SSL 3.0, or should we wait until F22? > > > > > > In Mozilla's infrastructure, our recommendation is to disable SSLv3 by > > > default everywhere, and only enable it when the service explicitly needs > > > backward compatibility with very old clients. > > > > I understand, but please read the rest of my mail. The issue here is > > that we cannot via system-wide crypto policies disable SSLv3 in NSS (not > > until [0] is included to NSS), and openssl as well because it provides > > no cipher string to achieve that goal. So the question is does it matter > > to disable SSLv3 from the global settings, if that would only affect > > gnutls tools, which is a minority in Fedora? > > Aren't there other parts of the policies which are not enforced? I mean > signature algorithms on certificates and in TLS1.2 (EC)DHE key exchange? Key > sizes? > > We probably should document which parts and with which libraries are actually > enforced, but the actual policy should state the desired outcome (in this > case: SSLv3 disabled). I tend to agree, could you or Eric fill a bug report against crypto-policy. As we are pretty late on time it will have to be accepted as blocker. regards, Nikos -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security