El 15/10/14 a las #4, John Andersen escribió:
Apparently there are fixes available for this already.
There are workarounds but there can't be a "fix" since you can't fix an old protocol design flaw, one that was already fixed in TLS 1.0.. 15 years ago. We could remove SSLv3 support entirely.That requires patching, ABI breaks..etc..unsuitable for released products. I favor this solution for releases after 13.2.. We could also disable SSlv3 by default without completely removing SSLv3, that is doable without much hassle, though it might prevent users from connecting to a tiny corner of the internet (0.4-0.7 of servers do not support TLS v1.0) . I only agree with taking this route with already released or soon to be released versions.
Turns out there is even more to worry about: http://www.theregister.co.uk/2014/10/15/openssl_ddos_vulns/
Is LibreSSL an option yet
I don't think so. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org