On 10/07/2013 12:44 PM, Wan-Teh Chang wrote: > On Mon, Oct 7, 2013 at 11:17 AM, Brian Smith <br...@briansmith.org> wrote: >> I think it is likely that some vendors of NSS-based products with very >> conservative backward-compatibility guarantees, like Oracle and maybe >> Red Hat, may need to continue supporting SSL 2.0 in their products due >> to promises that they've made. If so, either we should create a branch >> for these organizations to maintain, or we should create a branch of >> libssl without SSL 2.0. > The burden of maintaining the branch should fall on the people who > still need SSL 2.0, so we should remove SSL 2.0 from the trunk. It is > not that hard for a competent NSS developer to support an NSS 3.15 > branch for another three years. Please don't completely screw us over here. I would prefer to be able to track NSS updates, particularly since they are pulled in by mozilla. (we completely rebase nss whenever we have to pick up new mozilla releases that need it).
That being said, I think we could split the ssl 2.0 code out stand
along. The only issue is ssl2 hello->ssl3, which would probably mean
figuring out some why to make that transition that puts the burden on
the ssl2 code.
>
> Note: we will keep the ability on the server side to handle a
> ClientHello in the SSL 2.0 format.
>
> Removing SSL 2.0 is an important step to clean up the SSL library
> because it blocks some other cleanups, such as the handling of
> handshakes and receive ("gather") buffers.
Ideally so ideally we could completely fork the SSL2 code to use it's
own gather buffers.
Right now I'm trying to see if I can get management to let us drop SSL2
support in some upcoming RHEL 6 release. I've already dropped it in
RHEL7, and I think we may be at the point in RHEL-5 where we may not be
updating NSS except for some extreme fixes. One thing that could help is
to make sure the next mozilla CSB release supports SSL2 that will give
RHEL 6 some more runway...
Bob
>
> Wan-Teh
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
