Message214499
> We can add OP_NO_SSLv3 to the default context to prevent SSL3 but it's
> sort of a situational thing. If you're doing something where you need
> SSL3 clients you don't want OP_NO_SSLv3.
>
> So I guess the question is, do we want to be more secure by default
> and *not* lower the lower bounds of security and require people to add
> context.options & ~ssl.OP_NO_SSLv3 if they want to support SSLv3
> connections?
Most people won't understand the symptoms if some clients can't connect,
so I'd say no.
Also, clients should always use the higher possible protocol version, so
I don't think security is at stake here. |
|
Date |
User |
Action |
Args |
2014-03-22 18:13:39 | pitrou | set | recipients:
+ pitrou, christian.heimes, alex, dstufft |
2014-03-22 18:13:39 | pitrou | link | issue21013 messages |
2014-03-22 18:13:39 | pitrou | create | |
|