On Mon, Aug 30, 2010 at 8:12 AM, Brian Smith <br...@briansmith.org> wrote: > Wan-Teh Chang wrote: >> I propose that we remove SSL 2.0 support from the NSS trunk (NSS 3.13). > > Would this include support for SSLv2->v3 upgrade hellos?
I forgot to talk about this issue. We'll need to keep the server-side code that handles SSLv2-compatible ClientHello. > Can you share any information you have about how common SSL-2.0-only servers > are? I don't have this info, but the products that need to support SSL 2.0 can stay with NSS 3.12.x. > It is easier to remove SSL 2.0 with short notice from client products than > it is from server products. For this and many other reasons, it is worth > considering splitting the codebase into client, server, and shared > components (at least at the source code level). Then this decision could be > done independently for client and server products and Windows desktop > products can avoid shipping large chunks of (effectively) dead > security-critical code. This is a good goal, but it can be a very intrusive change. I'm going for the most bang for the buck. I do think ssl3con.c is too big. At 9503 lines, it takes a long time to load ssl3con.c in mxr.mozilla.org, and that hurts developer productivity. (I use MXR to help me understand the code.) So if we're going to break ssl3con.c into parts, we can follow your suggestion -- client, server, and shared. Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
