Re: [PERDITION-USERS] Disabling SSLv3

Hi Christophe, * I believe that the patch in question has been merged and is present in the mecurial repository. http://hg.vergenet.net/perdition/perdition/rev/30672d224854 * It is not at all clear to me that the patch above disables SSLv3. I believe a separate change to allow users to select which SSL/TLS protocol versions are enabled may be worth adding to perdition. But I'm not sure of a way to do that cleanly which doesn't require updating perdition each time the underlying SSL/TLS implementation, currently OpenSSL, adds support for a new protocol. * It appears to me that updating OpenSSL will prevent perdition from being the SSL DROWN vulnerability. My light testing indicates that with an updated OpenSSL it is no longer possible to negotiate an SSLv3 connection with perdition. https://www.openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drow… On Mon, May 02, 2016 at 05:59:59PM +0200, Christophe Ségui wrote: