From af73d3e4d83ba7f404068008ad617e02b8a0a77b Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Wed, 15 Oct 2014 11:50:05 -0400
Subject: Disable SSLv3 unconditionally. Closes ticket 13426.

The POODLE attack doesn't affect Tor, but there's no reason to tempt
fate: SSLv3 isn't going to get any better.
---
 changes/disable_sslv3 | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 changes/disable_sslv3

(limited to 'changes/disable_sslv3')

diff --git a/changes/disable_sslv3 b/changes/disable_sslv3
new file mode 100644
index 0000000000..bb4c2df7a2
--- /dev/null
+++ b/changes/disable_sslv3
@@ -0,0 +1,4 @@
+  o Major security fixes:
+    - Disable support for SSLv3. All versions of OpenSSL in use with
+      Tor today support TLS 1.0 or later, so we can safely turn off
+      support for this old (and insecure) protocol. Fixes bug 13426.
-- 
cgit v1.2.3-54-g00ecf