Administrators who need the support can still enable it and make use of SCSV. And don't forget that 'modern browser' applies to IE up to 11, FF up to 34, Chrome up to ? (couldn't find the exact version) of which actually not a single one has SCSV support and they won't get it! Providing compatibility for ancient out-of-life software and supporting a serious vulnerability for widely used (some ESR) software seems a bit dangerous to me.
The default configuration should protect the /wanna-be/ administrators. All others will most likely tune their config no matter what is supplied.
Best, Richard On 10/30/2014 2:47 PM, Maxim Dounin wrote:
Hello! On Wed, Oct 29, 2014 at 09:17:04PM -0700, Piotr Sikora wrote:# HG changeset patch # User Piotr Sikora <pi...@cloudflare.com> # Date 1414642398 25200 # Wed Oct 29 21:13:18 2014 -0700 # Node ID bf17486e5d30574b870926b76c1d6f421e4def75 # Parent 87ada3ba1392fadaf4d9193b5d345c248be32f77 SSL: don't enable SSLv3 by default.This was discussed excessively both in the office here and in Russian mailing list a while ago, and consensus is that we are not changing the default for now. Rationale is as follows: - SSLv3 is still important from compatibility point of view, there are various clients which doesn't support (or enable by default) anything better; - Mitigation for POODLE is already good and improving, including fallback protection via TLS_FALLBACK_SCSV and anti-POODLE record splitting; so, basically, modern browsers are not affected.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
