On Nov 11, 2014 12:44 AM, "Stephen Gallagher" <sgallagh(a)redhat.com>
> On Nov 10, 2014, at 11:19 PM, T.C. Hollingsworth <
> Upstream disabled SSLv3 in v0.10.33. I've been putting off dealing
> with it because I've been very busy, but I already got a request to do
> the same in EPEL .
> I was leaning toward not disabling it in <F20 and EPEL, since we
> typically don't do that sort of thing in stable releases. But it
> could get very confusing if upstream has disabled SSLv3 and we're
> shipping versions that claim to have it disabled. So I guess stable
> releases will be stuck at 0.10.32 + backports from future stable
> releases forever. Unless I'm being too pedantic and should just push
> the new upstream release unmodified?
> However, I think it's still early enough to do this for F21 at least
> so that's not stuck with the same issue forever. So unless a
I'd say that this *specific* change is acceptable for backport to the
branches because of the POODLE vulnerability. Plenty of other
packages are making this change.
After confirming the answer to your next question I don't have any problem
with this. And nobody else commented, so unless someone objects I'll send
0.10.33 to testing as soon as I can use something better than a phone. :-)
I'll announce here and on epel-announce after they are pushed.
Is it possible to carry a patch that allows our users to re-enable it
runtime if they absolutely must? If so, that's probably the optimum
The upstream fix adds an `--enable-ssl3` argument to the `node` executable
to re-enable SSLv3 fallback. Also, any code that explicitly requests
'SSLv3_method' while opening the connection will continue to use only SSLv3
regardless of whether the flag is set.
This is described in detail here:
I'll make sure to include this information in the aforementioned
P.S. I haven't forgotten that e-mail regarding npm/rpm integration, but
I've been way too busy to do much justice to a reply. Sorry. :-( I figure
you are too getting F21 out the door. (Lots of awesome stuff in Server BTW,
thanks!) Hopefully we can get back to it after the holidays?