[gnutls-help] Advice for handling POODLE vulnerability

[Michael Catanzaro]

Hi,

I'm looking for some advice on how to plug the POODLE vulnerability in
WebKitGTK+. We use GnuTLS indirectly through libsoup, which uses glib,
which uses glib-networking, which uses GnuTLS.  glib does not currently
offer the ability to control the protocols or cipher suites in use.

Traditionally, glib-networking has not changed any GnuTLS defaults, on
the assumption that your defaults will always be better and more secure
than anything the glib developers could come up with. But since it looks
like SSLv3 will not be disabled until GnuTLS 3.4, and we need to
immediately disable SSLv3, this no longer seems like a reasonable option
for glib. In order to avoid breaking applications that require SSLv3,
the current consideration is to add new API in glib (and possibly also
in libsoup) for controlling protocols in use... but this seems like a
poor way to handle a security issue, and would cause glib to default to
insecure.

There's a short discussion in [1]. We'd really appreciate any advice
this list has to offer on how to proceed.

Thanks,

Michael

[1] https://bugzilla.gnome.org/show_bug.cgi?id=738633
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: </pipermail/attachments/20141016/4f8633b2/attachment-0001.sig>