crypto policies for F21 without SSL 3.0?
Nikos Mavrogiannopoulos
nmav at redhat.com
Wed Nov 19 14:58:36 UTC 2014
Hello,
Eric Christensen proposed removed SSL 3.0 from the DEFAULT crypto
policy in F21, due to the POODLE attack. I experimented a bit, and
noticed (again) that openssl cannot set the supported versions via a
cipher string, and since NSS is still work in progress, it would
actually mean that this setting would only apply to gnutls. Also Tomas
Mraz noticed quite few mail clients that still use SSL 3.0 only, meaning
SSL 3.0 is not completely dead yet and may cause compatibility issues
for Fedora servers that use these strings.
With that in mind, does it make sense to update the policies to remove
SSL 3.0, or should we wait until F22?
regards,
Nikos
More information about the security
mailing list