Date: Wed, 15 Oct 2014 03:03:59 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: ports-secteam@freebsd.org Cc: gecko@freebsd.org, chromium@freebsd.org Subject: POODLE SSLv3 vulnerability Message-ID: <86iojmgn40.fsf@nine.des.no>
next in thread | raw e-mail | index | archive | help
Summary: Google researchers have discovered a plaintext recovery attack against SSL 3.0 with no known mitigation. I would like us to ship Firefox with SSL 3.0 disabled by default. This means setting security.tls.version.min to 1, or, in terms of code, changing the initial value of PSM_DEFAULT_MIN_TLS_VERSION from 0 to 1 in security/manager/ssl/src/nsNSSComponent.cpp. I assume that other Mozilla ports use the same code and require the same changes. Note that this does not preclude the user from changing the setting back to 0 in about:config. I would also like to do the same for Chrome, but I don't know the exact procedure and I am unable to find out or test, since Chrome has been broken for several months. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86iojmgn40.fsf>