Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable SSLv3 by default #248

Closed
lorenzhs opened this Issue Nov 3, 2014 · 0 comments

Comments

Projects
None yet
2 participants
@lorenzhs
Copy link

lorenzhs commented Nov 3, 2014

SSLv3 should never be enabled by default, it is considered broken. Thus, please remove it from the default configurations for all plugins that use SSL (irc, relay, and potentially others?)

It should not be necessary to do /set relay.network.ssl_priorities "PERFORMANCE:-VERS-SSL3.0". For example, relay allows access to /exec which could be fatal in the wrong hands. Thus, strong cipher suite defaults are a must and leaving SSLv3 in the mix is irresponsible.

To show that this is not just me being crazy and paranoid: Google is disabling fallback to SSLv3 in Chrome 39, and plans on removing it altogether in version 40. See what their security chief said about that.

Somewhat related: #234

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.