Because of the POODLE security vulnerability, it has been widely suggested to disable SSL 3.
Unfortunately there are still deployments where SSL 3 is the only supported version of SSL/TLS. Changing the default in NSS to disable SSL 3 will break applications that rely on the NSS default and which don't offer configuration options to override the NSS default. Therefore we plan to keep SSL 3 enabled by default for another few months, allowing everyone to migrate legacy applications, and/or to enhance applications to add configuration mechanisms. We plan to disable SSL 3 by default in all versions that will be released after April 1st 2015. We strongly recommend that applications implement configuration mechanisms, allowing users to override the set of SSL/TLS protocol versions enabled by the NSS library. In case of future incidents, should additional protocol versions be considered insecure, it would allow the NSS team to change the defaults with shorter notice, and it would benefit applications that relied on the NSS library defaults. For users of NSS that already use the new NSS shared database file format (cert9.db/key4.db/pkcs11.txt): An enhancement is currently under development, that will allow configuration of the ciphers and protocols used by NSS for SSL/TLS, independently of application code, by editing the NSS configuration file pkcs11.txt (see mozilla bug 1009429). On behalf of the NSS development team -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
