Re: [PATCH] add ssl_protocols configuration option

On Wed, Oct 22, 2014 at 09:36:59PM +0200, Dag-Erling Smørgrav wrote:
> Martijn van Oosterhout <kleptog(at)svana(dot)org> writes:
> > Dag-Erling Smørgrav <des(at)des(dot)no> writes:
> > > If I understand correctly, imaps has been shown to be vulnerable as
> > > well, so I wouldn't be so sure.
> > Reference?
>
> Sorry, no reference. I was told that Thunderbird was vulnerable to
> POODLE when talking imaps.

Ugh, found it. It does the same connection fallback stuff as firefox.

https://securityblog.redhat.com/2014/10/20/can-ssl-3-0-be-fixed-an-analysis-of-the-poodle-attack/

> > Since you can already specify the cipher list, couldn't you just add
> > -SSLv3 to the cipher list and be done?
>
> I didn't want to change the existing behavior; all I wanted was to give
> users a way to do so if they wish.

I think we should just disable SSL3.0 altogether. The only way this
could cause problems is if people are using PostgreSQL with an OpenSSL
library from last century. As for client libraries, even Windows XP
supports TLS1.0.

Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> He who writes carelessly confesses thereby at the very outset that he does
> not attach much importance to his own thoughts.
-- Arthur Schopenhauer