Re: [Cosign-discuss] cosign and POODLE?
The calls to SSL_CTX_new all use SSLv23_client_method, which also supports TLS (up to v1.2). So, I guess we /could/ disable SSLv3 in common/conf.c. Should we consider supporting Mozilla's NSS in addition to OpenSSL? It looks like someone at redhat wrote a compatibility layer. Liam On Thu, Oct 16, 2014 at 12:03 PM, Jorj Bauer j...@isc.upenn.edu wrote: Well, I would certainly think that institutions would be considering the impact of disabling SSLv3 in their own environments. I don't think that SSLv3 is old enough, or in little enough use, that we could mandate such a change. -- Jorj On Oct 16, 2014, at 11:37 AM, Liam Hoekenga li...@umich.edu wrote: The cosign code in github disables SSLv2 for the cosign cgi and filter. How worried do we need to be about SSLv3 and the POODLE exploit? Liam -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
Re: [Cosign-discuss] cosign and POODLE?
Well, I would certainly think that institutions would be considering the impact of disabling SSLv3 in their own environments. I don't think that SSLv3 is old enough, or in little enough use, that we could mandate such a change. -- Jorj On Oct 16, 2014, at 11:37 AM, Liam Hoekenga li...@umich.edu wrote: The cosign code in github disables SSLv2 for the cosign cgi and filter. How worried do we need to be about SSLv3 and the POODLE exploit? Liam -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho ___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
Re: [Cosign-discuss] cosign and POODLE?
I think the ability to exploit POODLE via the backchannel is fairly limited because of the requirement for client certs during initial negotiation. But having said that, I think that we should make this an option so that it can be disabled when people are ready/willing to do so. -- Jorj On Oct 16, 2014, at 12:08 PM, Liam Hoekenga li...@umich.edu wrote: The calls to SSL_CTX_new all use SSLv23_client_method, which also supports TLS (up to v1.2). So, I guess we /could/ disable SSLv3 in common/conf.c. Should we consider supporting Mozilla's NSS in addition to OpenSSL? It looks like someone at redhat wrote a compatibility layer. Liam On Thu, Oct 16, 2014 at 12:03 PM, Jorj Bauer j...@isc.upenn.edu wrote: Well, I would certainly think that institutions would be considering the impact of disabling SSLv3 in their own environments. I don't think that SSLv3 is old enough, or in little enough use, that we could mandate such a change. -- Jorj On Oct 16, 2014, at 11:37 AM, Liam Hoekenga li...@umich.edu wrote: The cosign code in github disables SSLv2 for the cosign cgi and filter. How worried do we need to be about SSLv3 and the POODLE exploit? Liam -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss -- Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho ___ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss