Wan-Teh Chang wrote: > I propose that we remove SSL 2.0 support from the NSS trunk (NSS 3.13).
Would this include support for SSLv2->v3 upgrade hellos? > SSL 2.0 is an old and insecure protocol. No products should be using SSL 2.0 > today. Can you share any information you have about how common SSL-2.0-only servers are? > As we add TLS 1.1 and TLS 1.2 code, it also makes sense to remove the SSL 2.0 > code to reduce the code size. It is easier to remove SSL 2.0 with short notice from client products than it is from server products. For this and many other reasons, it is worth considering splitting the codebase into client, server, and shared components (at least at the source code level). Then this decision could be done independently for client and server products and Windows desktop products can avoid shipping large chunks of (effectively) dead security-critical code. Regards, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
