[gnutls-devel] disabling SSL 3.0 by default in 3.4.0

Peter Williams home_pw at msn.com
Wed Oct 15 23:40:15 CEST 2014


Some of us still use ssl v2, between hsm and its client lib. But then the app protocol is not http (bring carefully thought out, to complement ssl features). One can force handshakes, to mac ciphertexr.

Lots of NSA deception & social engineering being used (to engineer upgrades...). Usual vendors and jounos being used, to manipulate the cryptonet.

Dont rush, like lemmings.



Sent from my Windows Phone
________________________________
From: Tim Rühsen<mailto:tim.ruehsen at gmx.de>
Sent: ‎10/‎15/‎2014 12:22 PM
To: gnutls-devel at gnu.org<mailto:gnutls-devel at gnu.org>
Cc: GnuTLS development list<mailto:gnutls-devel at lists.gnutls.org>
Subject: Re: [gnutls-devel] disabling SSL 3.0 by default in 3.4.0

Am Mittwoch, 15. Oktober 2014, 15:25:34 schrieb Nikos Mavrogiannopoulos:
> Hello,
>  Given the new and old attacks known for SSL 3.0, would it make sense
> to disable SSL 3.0 in the default priority strings?
>

Wget for example uses GnuTLS default settings as default.
Changing the default priority strings in GnuTLS gives the security benefit to
Wget without changing Wget's code. That is a good reason to use GnuTLS (or
other libraries) default settings in clients.

Some scenarios might break ... but since we all want to go away from SSLv3
towards TLS (the sooner the better), it seems to be a good choice to me to
change the default priority strings.

Just my opinion.

Tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20141015/8f4f800c/attachment.html>
-------------- next part --------------
_______________________________________________
Gnutls-devel mailing list
Gnutls-devel at gnu.org
https://lists.gnu.org/mailman/listinfo/gnutls-devel


More information about the Gnutls-devel mailing list