Disable SSLv3 by default.

Since Oct. 14 2014 SSLv3 is no longer considered safe. See POODLE:
https://en.wikipedia.org/wiki/Transport_Layer_Security#POODLE_attack

diff --git a/init.h b/init.h
index 8265551e3934c5e55c7667c3d0fd89fe6028f8d4..f1f46c3dc58535ee9718ac1f36467ce16a3b3941 100644 (file)
--- a/init.h
+++ b/init.h
@@ -2990,14 +2990,16 @@ struct option_t MuttVars[] = {
   /*
   ** .pp
   ** This variable specifies whether to attempt to use SSLv2 in the
-  ** SSL authentication process.
+  ** SSL authentication process. Note that SSLv2 and SSLv3 are now
+  ** considered fundamentally insecure and are no longer recommended.
   */
 # endif /* defined USE_SSL_OPENSSL */
-  { "ssl_use_sslv3", DT_BOOL, R_NONE, OPTSSLV3, 1 },
+  { "ssl_use_sslv3", DT_BOOL, R_NONE, OPTSSLV3, 0 },
   /*
   ** .pp
   ** This variable specifies whether to attempt to use SSLv3 in the
-  ** SSL authentication process.
+  ** SSL authentication process. Note that SSLv2 and SSLv3 are now
+  ** considered fundamentally insecure and are no longer recommended.
   */
   { "ssl_use_tlsv1", DT_BOOL, R_NONE, OPTTLSV1, 1 },
   /*