-----Original Message----- From: curl-library [mailto:[email protected]] On Behalf Of Daniel Stenberg Sent: 16. oktober 2014 09:01 To: libcurl development Subject: Re: SSLv3 fallback attack POODLE
> A decent and simple remedy to all of this is to just reject and deny SSLv3 > completely. That'll hurt some amount of legacy services and users. > My guess is that we probably already hurt those same users with our default > cipher list not including RC4. (I noticed libressl went ahead and disabled > SSLv3 by default.) From a security aspect SSLv3 should be dropped completely due to its many weaknesses. I think it would be a good move to follow in the footsteps of libressl. Legacy systems are most likely also using an old version of curl. Venlig hilsen / Best regards Kamstrup A/S <http://www.kamstrup.dk> Bruno Thomsen Development engineer Technology Kamstrup A/S Industrivej 28 DK-8660 Skanderborg Tel: +45 89 93 10 00 Fax: +45 89 93 10 01 Dir: +45 89 93 13 94 E-mail: [email protected] Web: www.kamstrup.dk ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
