I think the ability to exploit POODLE via the backchannel is fairly limited because of the requirement for client certs during initial negotiation.
But having said that, I think that we should make this an option so that it can be disabled when people are ready/willing to do so. -- Jorj On Oct 16, 2014, at 12:08 PM, Liam Hoekenga <li...@umich.edu> wrote: > The calls to SSL_CTX_new all use "SSLv23_client_method", which also supports > TLS (up to v1.2). So, I guess we /could/ disable SSLv3 in common/conf.c. > > Should we consider supporting Mozilla's NSS in addition to OpenSSL? It looks > like someone at redhat wrote a compatibility layer. > > Liam > > On Thu, Oct 16, 2014 at 12:03 PM, Jorj Bauer <j...@isc.upenn.edu> wrote: > Well, I would certainly think that institutions would be considering the > impact of disabling SSLv3 in their own environments. I don't think that SSLv3 > is old enough, or in little enough use, that we could mandate such a change. > > -- Jorj > > > On Oct 16, 2014, at 11:37 AM, Liam Hoekenga <li...@umich.edu> wrote: > > > The cosign code in github disables SSLv2 for the cosign cgi and filter. > > How worried do we need to be about SSLv3 and the POODLE exploit? > > > > Liam > > ------------------------------------------------------------------------------ > > Comprehensive Server Monitoring with Site24x7. > > Monitor 10 servers for $9/Month. > > Get alerted through email, SMS, voice calls or mobile push notifications. > > Take corrective actions from your mobile device. > > http://p.sf.net/sfu/Zoho_______________________________________________ > > Cosign-discuss mailing list > > Cosign-discuss@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/cosign-discuss > > ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
