changeset: 6371:39d3ddb56d34 user: David Champion <[email protected]> date: Tue Nov 04 23:40:10 2014 -0600 link: http://dev.mutt.org/hg/mutt/rev/39d3ddb56d34
Disable SSLv3 by default. Since Oct. 14 2014 SSLv3 is no longer considered safe. See POODLE: https://en.wikipedia.org/wiki/Transport_Layer_Security#POODLE_attack diffs (23 lines): diff -r 3a46874d5845 -r 39d3ddb56d34 init.h --- a/init.h Sat Oct 11 13:20:54 2014 -0700 +++ b/init.h Tue Nov 04 23:40:10 2014 -0600 @@ -2990,14 +2990,16 @@ /* ** .pp ** This variable specifies whether to attempt to use SSLv2 in the - ** SSL authentication process. + ** SSL authentication process. Note that SSLv2 and SSLv3 are now + ** considered fundamentally insecure and are no longer recommended. */ # endif /* defined USE_SSL_OPENSSL */ - { "ssl_use_sslv3", DT_BOOL, R_NONE, OPTSSLV3, 1 }, + { "ssl_use_sslv3", DT_BOOL, R_NONE, OPTSSLV3, 0 }, /* ** .pp ** This variable specifies whether to attempt to use SSLv3 in the - ** SSL authentication process. + ** SSL authentication process. Note that SSLv2 and SSLv3 are now + ** considered fundamentally insecure and are no longer recommended. */ { "ssl_use_tlsv1", DT_BOOL, R_NONE, OPTTLSV1, 1 }, /*
