This idea comes via https://bugzilla.mozilla.org/show_bug.cgi?id=1083767
(which I realize isn't on openssl's rt, but given the enormity of the
security problem I hope you'll forgive me). The proposal at that bug is
to create an environment variable for NSS to enforce disablement of
particular versions of the protocols.
What I'd like to see is a single environment variable that can do the
same across NSS and OpenSSL and any other TLS library that chooses to
look for the same variable.
I realize that on embedded platforms, there is no such thing as a
process environment. Obviously, this wouldn't have any effect in those
platforms. But, it would reduce environment wastage across the two
largest open-source TLS libraries and their clients, and would provide a
single checklist item that could control OpenSSL clients (think Chrome)
as well as NSS (think Firefox).
Thoughts?
-Kyle H
smime.p7s
Description: S/MIME Cryptographic Signature
