[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.

From: Florian Weimer
Subject: Re: Bug#766395: emacs/gnus: Uses s_client to for SSL.
Date: Thu, 23 Oct 2014 20:00:08 +0200

* Richard Stallman:

> I've read that falling back to ssl3 is a real security hole,
> being exploited frequently.  That feature should be removed.

GNUTLS automatically and securely upgrades to a TLS protocol if
supported by the server.  Dropping SSL 3.0 support altogether will
only encourage unencrypted connections instead.  Furthermore, SSL 3.0
is certainly not an ideal design, but neither is TLS 1.0.  Only
TLS 1.1 and later attempt to fix the padding issue, and support for
those versions is still poor in servers.  Fortunately, the padding
issues are only exploitable under fairly narrow circumstances.
Most applications (except web browsers) use SSL 3.0 in such a way that
the attack described in the POODLE paper does not apply.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]