From: David Champion <dgc@uchicago.edu>
Date: Wed, 5 Nov 2014 05:40:10 +0000 (-0600)
Subject: Disable SSLv3 by default.
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=856ec91628a45bed5ce02c4f9c6f29eb36180696;p=neomutt

Disable SSLv3 by default.

Since Oct. 14 2014 SSLv3 is no longer considered safe. See POODLE:
https://en.wikipedia.org/wiki/Transport_Layer_Security#POODLE_attack
---

diff --git a/init.h b/init.h
index 8265551e3..f1f46c3dc 100644
--- a/init.h
+++ b/init.h
@@ -2990,14 +2990,16 @@ struct option_t MuttVars[] = {
   /*
   ** .pp
   ** This variable specifies whether to attempt to use SSLv2 in the
-  ** SSL authentication process.
+  ** SSL authentication process. Note that SSLv2 and SSLv3 are now
+  ** considered fundamentally insecure and are no longer recommended.
   */
 # endif /* defined USE_SSL_OPENSSL */
-  { "ssl_use_sslv3", DT_BOOL, R_NONE, OPTSSLV3, 1 },
+  { "ssl_use_sslv3", DT_BOOL, R_NONE, OPTSSLV3, 0 },
   /*
   ** .pp
   ** This variable specifies whether to attempt to use SSLv3 in the
-  ** SSL authentication process.
+  ** SSL authentication process. Note that SSLv2 and SSLv3 are now
+  ** considered fundamentally insecure and are no longer recommended.
   */
   { "ssl_use_tlsv1", DT_BOOL, R_NONE, OPTTLSV1, 1 },
   /*