On Fri, 17 Oct 2014, Florian Weimer wrote:
Do you consider the fallback logic in the NSS code a security vulnerability? Then it might make sense to release its removal as a separate security fix, and not include the SSL 3.0 removal, to minimize the compatibility impact.
I don't. The POODLE attack doesn't work on anything that uses libcurl from what I've seen[1], so all our talk and discussions about disabling SSLv3 and removing the fallback logic in NSS are only extra precautions because they are involved in the POODLE attack and thus indicate areas that involve problems and weak security.
[1] = http://daniel.haxx.se/blog/2014/10/17/curl-is-no-poodle/ -- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
