Hacker News new | ask | show | jobs
by attilagyorffy 3523 days ago
there's currently no post on openssl.org but i expect them to publish one soon. Also, now with all the OpenSSL sh*tstorm this year, I really wonder if LibreSSL is vulnerable to this security problem...
1 comments
adrianN 3523 days ago
LibreSSL has removed SSL3, so I'd guess it doesn't do "SSL3_AL_WARNING"
link
cm3 3523 days ago
And Firefox 52 is proposed to default to TLS 1.3 for safety and performance reasons: https://groups.google.com/forum/#!topic/mozilla.dev.platform...

I wish it was still possible to override these per profile. Last time I tried, the knobs were gone and had no effect whatsoever to enable safer defaults. I used to be able to force a minimum TLS version and enable only select few ciphers.

link
johnp_ 3523 days ago
Still possible:

security.tls.version.min security.tls.version.max

security.ssl3.<cipher_suite>

link
cm3 3523 days ago
Thanks, you're right, found and disabled all but two specs and tuned minimum to 3 which is TLS1.2. Will put those in the locked config file, so that they're read-only at runtime.
link
detaro 3523 days ago
Since in OpenSSL TLS is affected as well, I wouldn't be so sure.
link