[Operators] Removing SSLv3 from ejabberd 2.1.x and 13.x

Matthew Wild mwild1 at gmail.com
Tue Jan 7 01:31:43 UTC 2014


On 7 January 2014 01:16, Justin Bull <me at justinbull.ca> wrote:
> Hello,
> It has come to my attention that I should alert this list to an open
> PR I have for ejabberd:
> https://github.com/processone/ejabberd/pull/124
> It's a simple PR targeting their 2.1.x branch (the version
> jabber.ccc.de was running at the time the PR was authored) removing
> SSLv3 as an available protocol.
> Unfortunately, not only does it appear my patch will not be applied,
> but they also reverted the commit that removes SSLv3 from their master
> release line (13.x):

> I'd appreciate your opinions and discussion on the open GitHub PR's
> comments.

We originally intended to remove SSLv3 by default in the next minor
release of Prosody. However we also reverted that commit after I
gathered stats (Peter posted them somewhere on this list I think)
showing that it is actually still in common use. We still have it
disabled by default in trunk and for our next major release however,
and we won't revert it there unless it really proves to be a problem.
The world has to move forwards somehow :)

Also note that SSLv3 hasn't been shown to be any less secure than
TLSv1 (in fact they are essentially the same), but TLSv1 is still very
widely used. Therefore there is no security reason to disable SSLv3,
unless you also plan to disable TLSv1 at the same time.

I believe the best thing we can do for now is to fix and update the
clients, rather than just cutting them off on the server-side. It
shouldn't be that hard...


More information about the Operators mailing list