This idea comes via https://bugzilla.mozilla.org/show_bug.cgi?id=1083767 (which I realize isn't on openssl's rt, but given the enormity of the security problem I hope you'll forgive me). The proposal at that bug is to create an environment variable for NSS to enforce disablement of particular versions of the protocols.
What I'd like to see is a single environment variable that can do the same across NSS and OpenSSL and any other TLS library that chooses to look for the same variable. I realize that on embedded platforms, there is no such thing as a process environment. Obviously, this wouldn't have any effect in those platforms. But, it would reduce environment wastage across the two largest open-source TLS libraries and their clients, and would provide a single checklist item that could control OpenSSL clients (think Chrome) as well as NSS (think Firefox). Thoughts? -Kyle H
smime.p7s
Description: S/MIME Cryptographic Signature