After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 739963 - Disable SSLv3 because of POODLE
Disable SSLv3 because of POODLE
Status: RESOLVED FIXED
Product: gnome-initial-setup
Classification: Applications
Component: general
3.14.x
Other All
: Normal normal
: ---
Assigned To: GNOME Initial Setup maintainer(s)
GNOME Initial Setup maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2014-11-11 14:00 UTC by Debarshi Ray
Modified: 2014-11-11 14:19 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
Disable SSLv3 because of POODLE (1.03 KB, patch)
2014-11-11 14:10 UTC, Debarshi Ray 		committed Details | Review

Description Debarshi Ray 2014-11-11 14:00:32 UTC 
In order to respond to the POODLE attack we need to disable SSLv3 in code that uses WebKit (or any web browser, for that matter). Currently the only way to turn off SSLv3 in glib-networking is to use an environment variable (see bug 738633). This means that we need to set it very early in process startup, so we can not do it anywhere further down the stack. It needs to be done early in main().

Note that once we migrate to WK2 we won't have to do it in every application, because the WK2 network process will be doing it for us.

Also see:
https://bugzilla.gnome.org/show_bug.cgi?id=738633#c18
Comment 1 Rui Matos 2014-11-11 14:02:39 UTC 
hmm, I'll have to do a 3.14.2.1 for this then, please push the same patch
Comment 2 Debarshi Ray 2014-11-11 14:10:40 UTC 
Created attachment 290416 [details] [review]
Disable SSLv3 because of POODLE