Proposal: Disable SSLv3 in Firefox ESR 31

Hey all, By now, you've probably heard about the POODLE attacks on SSLv3, and our decision to disable SSLv3 by default in Firefox 34 [1]. Several people have proposed that we also make this change in Firefox ESR 31. So I wanted to propose that we also disable SSLv3 by default in ESR 31 at

Re: Proposal: Disable SSLv3 in Firefox ESR 31

On Thu, 2014-10-16 at 10:31 -0700, Richard Barnes wrote: By now, you've probably heard about the POODLE attacks on SSLv3, and our decision to disable SSLv3 by default in Firefox 34 [1]. Several people have proposed that we also make this change in Firefox ESR 31. So I wanted to propose

Re: Proposal: Disable SSLv3 in Firefox ESR 31

* Richard Barnes: If there are any objections or comments on that proposal, please raise them in this thread. A lot of this has already been hashed out on the IETF TLS WG mailing list, with a slightly different perspective. Why is disabling SSL 3.0 acceptable, but getting rid of the broken

Re: Proposal: Disable SSLv3 in Firefox ESR 31

On Thu, 2014-10-16 at 20:27 +0200, Florian Weimer wrote: A lot of this has already been hashed out on the IETF TLS WG mailing list, with a slightly different perspective. Why is disabling SSL 3.0 acceptable, but getting rid of the broken fallback which will keep endangering users for a long

Re: Proposal: Disable SSLv3 in Firefox ESR 31

On Thu, 16 Oct 2014 20:27:24 +0200 Florian Weimer f...@deneb.enyo.de wrote: * Richard Barnes: If there are any objections or comments on that proposal, please raise them in this thread. A lot of this has already been hashed out on the IETF TLS WG mailing list, with a slightly different

Re: Proposal: Disable SSLv3 in Firefox ESR 31

* Reed Loden: On Thu, 16 Oct 2014 20:27:24 +0200 Florian Weimer f...@deneb.enyo.de wrote: * Richard Barnes: If there are any objections or comments on that proposal, please raise them in this thread. A lot of this has already been hashed out on the IETF TLS WG mailing list, with a

Re: Announcing Mozilla::PKIX, a New Certificate Verification Library

On Monday, April 7, 2014 6:33:50 PM UTC-4, Kathleen Wilson wrote: All, We have been working on a new certificate verification library for Gecko, and would greatly appreciate it if you will test this new library and review the new code. Background NSS currently has two

Re: Proposal: Disable SSLv3 in Firefox ESR 31

Florian, On 10/16/2014 12:50, Florian Weimer wrote: Neither. I'm talking about the out-of-protocol insecure version negotiation for TLS implemented in Firefox. That's a broader scope than bug 689814, which is strictly about fallback to SSL 3.0. +1 This fallback needs to get removed,