Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.

[Florian Weimer]

* Perry E. Metzger:

> On Thu, 23 Oct 2014 20:00:08 +0200 Florian Weimer <address@hidden>
> wrote:
>> * Richard Stallman:
>> 
>> > I've read that falling back to ssl3 is a real security hole,
>> > being exploited frequently.  That feature should be removed.
>> 
>> GNUTLS automatically and securely upgrades to a TLS protocol if
>> supported by the server.  Dropping SSL 3.0 support altogether will
>> only encourage unencrypted connections instead.
>
> I disagree. It will encourage people to upgrade from a flawed
> protocol to one that works. Many people running servers are utterly
> unaware that there's anything wrong with what they're using right now
> -- if you leave in support forever, they'll never figure it out.

Well, print a warning and sit for five seconds if you care so much
about that, but denying users access to their mail just because you
decided that SSL 3.0 is not secure enough anymore doesn't make much
sense.  Rallying against RC4 would be a better use of our time, I
suspect.

Keep in mind that TLS 1.0 basically has the same problem as SSL 3.0,
and support for protocols beyond TLS 1.0 is not actually widespread.

And to reiterate, if something better is available, the presence of
SSL 3.0 support on both ends does no harm (only with browsers, but
that's a browser bug).  TLS cryptographically protects against
downgrades.