On 16/10/2014 12:12 μμ, Olivier wrote: > Hi, > > 2014-10-16 10:34 GMT+02:00 Neil - HAProxy List > <maillist-hapr...@iamafreeman.com > <mailto:maillist-hapr...@iamafreeman.com>>: > > I'd go further. Sslv3 us an obsolete protocol does anyone disagree > with that? > > For a start make no-sslv3 the default and have a > enable-obsolete-sslv3 option. > Or better make enabling it a compile time option. > > Or maybe just get rid of it altogether? > > > I do not agree. Backward compatibility is really important for software > like HAProxy. So if you start disabling this feature, it would lead to > tons of bug reports. > Moreover, I do not agree that disabling Sslv3 is absolutely necessary. > There are still plenty of websites around that must keep support for > WinXP+IE6. Even Google did not deactivate sslv3 on their server (they > are using a mitigating solution instead). > > In my own opinion, being able to deactivate it on defaults section might > help, but don't change default behaviour. > > Olivier
I second this. Disabling by default SSLv3 will go unnoticed in an upgrade process and will cause outages on services. Oh yes, SSLv3 is old but is being used by a lot of software (legacy or not) and upgrading them to TLS it can take years. Do you know that the requests library on python2.7 uses by default SSLv3 on some recent distributions(RedHat 6 for instance)? and if you want to use TLS you have to write 5-6 lines of code, using HTTPAdaptor and etc... I am on those people that love to use the latest and greatest technologies, but in a way that will not break the business. Please don't disable SSLv3, just make the code to warn about it on the log as a reminder. Cheers, Pavlos
signature.asc
Description: OpenPGP digital signature