On 10/16/2014 10:53 AM, Daniel Stenberg wrote:
If it's really possible in all SSL backends to disable negotiation
down to SSLv3 while still allowing it if explicitly requested (with
--sslv3) then I'm fine with that.
Me too.
Do you consider the fallback logic in the NSS code a security
vulnerability? Then it might make sense to release its removal as a
separate security fix, and not include the SSL 3.0 removal, to minimize
the compatibility impact.
If you want to treat the NSS fallback code as a security vulnerability,
I will get the ball rolling on CVE assignment.
--
Florian Weimer / Red Hat Product Security
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
