On Nov 11, 2014 12:44 AM, "Stephen Gallagher" <[email protected]> wrote: > > On Nov 10, 2014, at 11:19 PM, T.C. Hollingsworth < [email protected]> wrote: > > > > Upstream disabled SSLv3 in v0.10.33. I've been putting off dealing > > with it because I've been very busy, but I already got a request to do > > the same in EPEL [1]. > > > > I was leaning toward not disabling it in <F20 and EPEL, since we > > typically don't do that sort of thing in stable releases. But it > > could get very confusing if upstream has disabled SSLv3 and we're > > shipping versions that claim to have it disabled. So I guess stable > > releases will be stuck at 0.10.32 + backports from future stable > > releases forever. Unless I'm being too pedantic and should just push > > the new upstream release unmodified? > > > > However, I think it's still early enough to do this for F21 at least > > so that's not stuck with the same issue forever. So unless a > I'd say that this *specific* change is acceptable for backport to the stable branches because of the POODLE vulnerability. Plenty of other packages are making this change.
After confirming the answer to your next question I don't have any problem with this. And nobody else commented, so unless someone objects I'll send 0.10.33 to testing as soon as I can use something better than a phone. :-) I'll announce here and on epel-announce after they are pushed. > Is it possible to carry a patch that allows our users to re-enable it at runtime if they absolutely must? If so, that's probably the optimum solution. The upstream fix adds an `--enable-ssl3` argument to the `node` executable to re-enable SSLv3 fallback. Also, any code that explicitly requests 'SSLv3_method' while opening the connection will continue to use only SSLv3 regardless of whether the flag is set. This is described in detail here: https://nodejs.org/api/tls.html#tls_protocol_support I'll make sure to include this information in the aforementioned announcement. Thanks, -T.C. P.S. I haven't forgotten that e-mail regarding npm/rpm integration, but I've been way too busy to do much justice to a reply. Sorry. :-( I figure you are too getting F21 out the door. (Lots of awesome stuff in Server BTW, thanks!) Hopefully we can get back to it after the holidays?
_______________________________________________ nodejs mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/nodejs
