Heads up: Disabling SSL2 support in NSS

[Florian Weimer]

On 02/09/2015 03:43 PM, Elio Maldonado wrote:

> Support for ssl2 will be disabled in NSS. Refer to the to the Mozilla page with a list of sites [1] and the fedora bug [2] filed to disable SSL2 at build time. Upstream NSS will disable SSL2 perhaps as early as September of this year. Red Hat has had SSL2 disabled at built time since RHEL-7.0 which was released in the summer of last year. There have been no complaints so far. The plan was originally to disable it in Fedora but that wasn't possible as at that time which was late 2013. Then rhel-7.0 was about to enter beta but fedora 20 was late in the beta stage and it didn't seem prudent to introduce potentially disturbing changes so late in the development cycle. Now we can finally do it and is way in advance of when we may get it from upstream and gives packages maintainers sufficient of lead time to deal with any sites that may still be using SSL2.

Out of curiosity, does this also disable processing of SSL 2.0
compatible Client Hellos advertising a later protocol version, or will
NSS just stop negotiating SSL 2.0?

-- 
Florian Weimer / Red Hat Product Security