[squid-dev] Death of SSLv3

Marcus Kool marcus.kool at urlfilterdb.com
Thu May 7 13:26:10 UTC 2015



On 05/07/2015 07:03 AM, Amos Jeffries wrote:
> Its done. SSLv3 is now a "MUST NOT use" protocol from RFC 7525
> (<http://tools.ietf.org/html/rfc7525>)

good decision.

> It's time for us to start ripping out from trunk all features and hacks
> supporting its use. Over the coming days I will be submitting patches to
> remove the squid.conf settings, similar to SSLv2 removal earlier.
>
> The exceptions which may remain are SSLv3 features which are used by the
> still-supported TLS versions. Such as session resume, and the SSLv3
> format of Hello message (though not the SSLv3 protocol IDs).

are you sure you want to do this _now_ ?

It is predictable that users will complain with
"I know this provider is stupid and uses SSLv3 but I _need_ to access that site for our business"
and use this as a reason not to upgrade or blame squid.

It may not be that much extra work to have a new option "use_sslv3" with the default setting to OFF
and not ripping SSLv3 code yet.  Also, if you do not rip SSLv3, Squid can detect that a site uses
SSLv3 and give a useful error message like "this site insists in using the unsafe SSLv3 protocol"
instead of a confusing "unknown protocol".

Marcus


> Christos, if you can keep this in mind for all current / pending, and
> future "SSL" work.
>
> Amos
>
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev
>


More information about the squid-dev mailing list