On Sat, Nov 08, 2014 at 03:22:50PM +0100, Alessandro Ghedini wrote: > On sab, nov 08, 2014 at 01:15:14 +0100, Kurt Roeckx wrote: > > Package: curl > > Severity: important > > Tags: patch > > > > Hi, > > > > I would like to get rid of the SSLv3 methods in openssl. > > Is this a jessie objective? If not, it will have to wait until after the > freeze.
It is for me, not sure about the release team's point of view. And I'm guessing it's going to depend on how many of those bugs I can get fixed. > > The patch brings curl in the same state as for SSLv2 in that it > > doesn't try and use SSLv3 methods when openssl is build without > > SSLv3 support. > > The patch you posted is incomplete (there's another switch that needs to be > ifdeffed). I'll try to put something together and forward it upstream. You mean the part that sets options? I see no point in doing that since you shouldn't be able to reach that point, it does nothing wrong, and it builds just fine. > Anyway, note that there are still quite a bit of SSLv3-only servers > (particularly Windows servers) that don't work with TLSv1.x at all (like, they > even fail during the handshake if you dare propose TLS1 to them). What version of windows are you talking about in that case? Even windows NT 4.0 supports TLS 1.0. If you want to talk about real statistics, there are more sites that only support SSLv2 then there are that only support SSLv3. Kurt -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
