Re: crypto policies for F21 without SSL 3.0?
On Wed, 2014-11-19 at 11:29 -0500, Julien Vehent wrote:
On 2014-11-19 09:58, Nikos Mavrogiannopoulos wrote:
> With that in mind, does it make sense to update the policies to
> remove
> SSL 3.0, or should we wait until F22?
In Mozilla's infrastructure, our recommendation is to disable SSLv3 by
default everywhere, and only enable it when the service explicitly needs
backward compatibility with very old clients.
I understand, but please read the rest of my mail. The issue here is
that we cannot via system-wide crypto policies disable SSLv3 in NSS (not
until [0] is included to NSS), and openssl as well because it provides
no cipher string to achieve that goal. So the question is does it matter
to disable SSLv3 from the global settings, if that would only affect
gnutls tools, which is a minority in Fedora?
regards,
Nikos
[0]. https://bugzilla.mozilla.org/show_bug.cgi?id=1009429
regards,
Nikos