On Mon, Oct 7, 2013 at 11:17 AM, Brian Smith <br...@briansmith.org> wrote:
>
> I think it is likely that some vendors of NSS-based products with very
> conservative backward-compatibility guarantees, like Oracle and maybe
> Red Hat, may need to continue supporting SSL 2.0 in their products due
> to promises that they've made. If so, either we should create a branch
> for these organizations to maintain, or we should create a branch of
> libssl without SSL 2.0.
The burden of maintaining the branch should fall on the people who
still need SSL 2.0, so we should remove SSL 2.0 from the trunk. It is
not that hard for a competent NSS developer to support an NSS 3.15
branch for another three years.
Note: we will keep the ability on the server side to handle a
ClientHello in the SSL 2.0 format.
Removing SSL 2.0 is an important step to clean up the SSL library
because it blocks some other cleanups, such as the handling of
handshakes and receive ("gather") buffers.
Wan-Teh
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
