GNOME Bugzilla – Bug 739960
Disable SSLv3 because of POODLE
Last modified: 2014-11-11 14:18:46 UTC
In order to respond to the POODLE attack we need to disable SSLv3 in code that uses WebKit (or any web browser, for that matter). Currently the only way to turn off SSLv3 in glib-networking is to use an environment variable (see bug 738633). This means that we need to set it very early in process startup, so we can not do it anywhere further down the stack. It needs to be done early in main(). Note that once we migrate to WK2 we won't have to do it in every application, because the WK2 network process will be doing it for us. Also see: https://bugzilla.gnome.org/show_bug.cgi?id=738633#c18
Created attachment 290413 [details] [review] main: Disable SSLv3 because of POODLE
Review of attachment 290413 [details] [review]: Sucks that we have to do this via env vars. Anyway, ok I know it's already mentioned in the commit body but a /* FIXME: remove this when ... */ above the code is likely a good idea to make it less likely we'll forget to remove it at some point.
Created attachment 290417 [details] [review] main: Disable SSLv3 because of POODLE Add a FIXME in the code.