Hacker News new | ask | show | jobs
by adrianN 3523 days ago
LibreSSL has removed SSL3, so I'd guess it doesn't do "SSL3_AL_WARNING"
2 comments
cm3 3523 days ago
And Firefox 52 is proposed to default to TLS 1.3 for safety and performance reasons: https://groups.google.com/forum/#!topic/mozilla.dev.platform...

I wish it was still possible to override these per profile. Last time I tried, the knobs were gone and had no effect whatsoever to enable safer defaults. I used to be able to force a minimum TLS version and enable only select few ciphers.

link
johnp_ 3523 days ago
Still possible:

security.tls.version.min security.tls.version.max

security.ssl3.<cipher_suite>

link
cm3 3523 days ago
Thanks, you're right, found and disabled all but two specs and tuned minimum to 3 which is TLS1.2. Will put those in the locked config file, so that they're read-only at runtime.
link
detaro 3523 days ago
Since in OpenSSL TLS is affected as well, I wouldn't be so sure.
link