On 02/09/2015 08:22 AM, Florian Weimer wrote:
On 02/09/2015 03:43 PM, Elio Maldonado wrote:
Support for ssl2 will be disabled in NSS. Refer to the to the Mozilla page with
a list of sites [1] and the fedora bug [2] filed to disable SSL2 at build time.
Upstream NSS will disable SSL2 perhaps as early as September of this year. Red
Hat has had SSL2 disabled at built time since RHEL-7.0 which was released in
the summer of last year. There have been no complaints so far. The plan was
originally to disable it in Fedora but that wasn't possible as at that time
which was late 2013. Then rhel-7.0 was about to enter beta but fedora 20 was
late in the beta stage and it didn't seem prudent to introduce potentially
disturbing changes so late in the development cycle. Now we can finally do it
and is way in advance of when we may get it from upstream and gives packages
maintainers sufficient of lead time to deal with any sites that may still be
using SSL2.
Out of curiosity, does this also disable processing of SSL 2.0
compatible Client Hellos advertising a later protocol version, or will
NSS just stop negotiating SSL 2.0?
Good question Florian and the answer is that we disable SSLv2 compatible
hellos. This is from Bob Relyea:
SSL 2 hellos have to be disabled if you ever send any extensions, so ECC
support, or TLS 1.2 support requires that you don't send SSL2 hellos. So
the upshot is we only send SSL2 hellos if you explicitly turn them on
and only use SSL2/SSL3 and no ECC. Mozilla hasn't been using SSL2 hellos
for about a decade now.
Once I resolve some issues with Firefox, which oddly enough don't happen
in RHEL, and the work reviewed I'll proceed disable SSL2 for Rawhide.
Elio
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
