The calls to SSL_CTX_new all use "SSLv23_client_method", which also
supports TLS (up to v1.2). So, I guess we /could/ disable SSLv3 in
common/conf.c.
Should we consider supporting Mozilla's NSS in addition to OpenSSL? It
looks like someone at redhat wrote a compatibility layer.
Liam
On Thu, Oct 16, 2014 at 12:03 PM, Jorj Bauer <j...@isc.upenn.edu> wrote:
> Well, I would certainly think that institutions would be considering the
> impact of disabling SSLv3 in their own environments. I don't think that
> SSLv3 is old enough, or in little enough use, that we could mandate such a
> change.
>
> -- Jorj
>
>
> On Oct 16, 2014, at 11:37 AM, Liam Hoekenga <li...@umich.edu> wrote:
>
> > The cosign code in github disables SSLv2 for the cosign cgi and filter.
> > How worried do we need to be about SSLv3 and the POODLE exploit?
> >
> > Liam
> >
> ------------------------------------------------------------------------------
> > Comprehensive Server Monitoring with Site24x7.
> > Monitor 10 servers for $9/Month.
> > Get alerted through email, SMS, voice calls or mobile push notifications.
> > Take corrective actions from your mobile device.
> > http://p.sf.net/sfu/Zoho_______________________________________________
> > Cosign-discuss mailing list
> > Cosign-discuss@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/cosign-discuss
>
>
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
