Can we depricate SSLv2,3?


#1

I have been building ManageIQ from your git repo for a few months now. Until recently I had no issues, but recently my distro’s (Arch Linux) package maintainers decided to remove SSLv3 support from their openssl package.

While some distros have not made this this move, like Fedora, others like Ubuntu have. In light of attacks against SSLv2 (DROWN) and SSLv3 (POODLE), it seems like a good idea to drop support, or at least the requirement for support, of SSL, and push for more recent crypto standards like TLS.

What are the community’s thoughts on a move like this?


#2

It may be worth noting that other projects (apache httpd), suggest only supporting TLSv1.2 by the end of 2016.


#3

Thanks @carnott for your suggestion!
@dmetzger FYI