oss-sec mailing list archives
Re: Truly scary SSL 3.0 vuln to be revealed soon:
From: Reed Loden <reed () reedloden com>
Date: Tue, 14 Oct 2014 08:36:43 -0700
On Tue, 14 Oct 2014 08:23:23 -0700 Alex Gaynor <alex.gaynor () gmail com> wrote:
At what point are we going to decide that it's absurd for every single TLS deployment to need to reconfigure everything in order to achieve strong security, and say that OpenSSL (or even Apache/Nginx/HAProxy/etc.) should just configure things reasonably out of the box?
I agree, but the OpenSSL folks have always been fairly resistant to changing things that might "break compatibility", or at least it seems that way. This same type of argument came up when trying to get Ruby to use better OpenSSL settings by default (https://bugs.ruby-lang.org/issues/9424). Everybody wants to blame somebody else. Nobody wants to possibly be on the hook when things break. ~reed
Current thread:
- Truly scary SSL 3.0 vuln to be revealed soon: Sona Sarmadi (Oct 14)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Hanno Böck (Oct 14)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Reed Loden (Oct 14)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Alex Gaynor (Oct 14)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Reed Loden (Oct 14)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Reed Loden (Oct 14)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Hanno Böck (Oct 14)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Hanno Böck (Oct 14)
- RE: Truly scary SSL 3.0 vuln to be revealed soon: Sona Sarmadi (Oct 14)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Walter Parker (Oct 14)
- Re: Truly scary SSL 3.0 vuln to be revealed soon: Brandon Whaley (Oct 15)
- list policy (Re: Truly scary SSL 3.0 vuln to be revealed soon:) Solar Designer (Oct 15)
- Re: list policy (Re: Truly scary SSL 3.0 vuln to be revealed soon:) Alexander Cherepanov (Oct 28)
- Re: list policy (Re: Truly scary SSL 3.0 vuln to be revealed soon:) Kurt Seifried (Oct 28)
- Re: list policy (Re: Truly scary SSL 3.0 vuln to be revealed soon:) Alexander Cherepanov (Oct 28)
- Re: list policy (Re: Truly scary SSL 3.0 vuln to be revealed soon:) Kurt Seifried (Oct 28)
- Re: list policy (Re: Truly scary SSL 3.0 vuln to be revealed soon:) Michal Zalewski (Oct 29)
- RE: Truly scary SSL 3.0 vuln to be revealed soon: Sona Sarmadi (Oct 14)