On Mon, Oct 07, 2013 at 11:17:46AM -0700, Brian Smith wrote: > On Fri, Oct 4, 2013 at 6:52 PM, Ludovic Hirlimann > <ludovic+n...@mozilla.com> wrote: > > Hi, > > > > AFAIK NSS still contains code for SSL2 , but no product uses it. SSL2 > > has been turned off at least 2 years ago. By removing SSL2 code we get : > > > > Smaller librarie > > faster compile time + test time > > > > What do you guys think ? > > Hi Ludovic, > > I do think it is time to remove SSL 2.0 support from libssl.
I'm all for removing SSL 2.0 support. OpenSSL still supports SSL 2.0, but the default cipher list doesn't include any ciphers that can be used with SSL 2.0 and so thus disabling the use of SSL 2.0 by default. I assume the same goes for NSS. In Debian I decided to build openssl since 1.0.0 without SSL 2.0 support, I didn't receive any negative feedback from that. At that point it didn't support TLS 1.1 or 1.2 yet since that only got added in 1.0.1. But the 1.0.0 version wasn't part of any release. Kurt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto