Hi, I'm looking for some advice on how to plug the POODLE vulnerability in WebKitGTK+. We use GnuTLS indirectly through libsoup, which uses glib, which uses glib-networking, which uses GnuTLS. glib does not currently offer the ability to control the protocols or cipher suites in use.
Traditionally, glib-networking has not changed any GnuTLS defaults, on the assumption that your defaults will always be better and more secure than anything the glib developers could come up with. But since it looks like SSLv3 will not be disabled until GnuTLS 3.4, and we need to immediately disable SSLv3, this no longer seems like a reasonable option for glib. In order to avoid breaking applications that require SSLv3, the current consideration is to add new API in glib (and possibly also in libsoup) for controlling protocols in use... but this seems like a poor way to handle a security issue, and would cause glib to default to insecure. There's a short discussion in [1]. We'd really appreciate any advice this list has to offer on how to proceed. Thanks, Michael [1] https://bugzilla.gnome.org/show_bug.cgi?id=738633
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
