[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.
From: |
Florian Weimer |
Subject: |
Re: Bug#766395: emacs/gnus: Uses s_client to for SSL. |
Date: |
Thu, 23 Oct 2014 20:00:08 +0200 |
* Richard Stallman:
> I've read that falling back to ssl3 is a real security hole,
> being exploited frequently. That feature should be removed.
GNUTLS automatically and securely upgrades to a TLS protocol if
supported by the server. Dropping SSL 3.0 support altogether will
only encourage unencrypted connections instead. Furthermore, SSL 3.0
is certainly not an ideal design, but neither is TLS 1.0. Only
TLS 1.1 and later attempt to fix the padding issue, and support for
those versions is still poor in servers. Fortunately, the padding
issues are only exploitable under fairly narrow circumstances.
Most applications (except web browsers) use SSL 3.0 in such a way that
the attack described in the POODLE paper does not apply.
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Rob Browning, 2014/10/22
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Richard Stallman, 2014/10/23
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.,
Florian Weimer <=
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Perry E. Metzger, 2014/10/23
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Florian Weimer, 2014/10/23
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Perry E. Metzger, 2014/10/23
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Florian Weimer, 2014/10/23
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Kurt Roeckx, 2014/10/23
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Perry E. Metzger, 2014/10/23
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Florian Weimer, 2014/10/23
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Perry E. Metzger, 2014/10/23
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Kurt Roeckx, 2014/10/23
- Re: Bug#766395: emacs/gnus: Uses s_client to for SSL., Perry E. Metzger, 2014/10/23