On 02/09/2015 03:43 PM, Elio Maldonado wrote: > Support for ssl2 will be disabled in NSS. Refer to the to the Mozilla page > with a list of sites [1] and the fedora bug [2] filed to disable SSL2 at > build time. Upstream NSS will disable SSL2 perhaps as early as September of > this year. Red Hat has had SSL2 disabled at built time since RHEL-7.0 which > was released in the summer of last year. There have been no complaints so > far. The plan was originally to disable it in Fedora but that wasn't possible > as at that time which was late 2013. Then rhel-7.0 was about to enter beta > but fedora 20 was late in the beta stage and it didn't seem prudent to > introduce potentially disturbing changes so late in the development cycle. > Now we can finally do it and is way in advance of when we may get it from > upstream and gives packages maintainers sufficient of lead time to deal with > any sites that may still be using SSL2.
Out of curiosity, does this also disable processing of SSL 2.0 compatible Client Hellos advertising a later protocol version, or will NSS just stop negotiating SSL 2.0? -- Florian Weimer / Red Hat Product Security -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
