httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: Improving SSL config
Date Wed, 16 Nov 2011 08:27:23 GMT


----- Original Message -----
> On 14.11.2011 15:46, William A. Rowe Jr. wrote:
> > Isn't it similarly time to deploy SSLProtocol -SSLv2 by default?
> 
> Oh yes, definitely. I didn't realize that "all" is still the default
> for
> SSLProtocol... for trunk and 2.4, I would suggest to change the
> defaults
> in the code. In decreasing order of preference:
> 
> - completely drop SSLv2 support
> 
> - change the default (in modssl_ctx_init) to
>   SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_SSLV2

+1

> The first option also means that we would "comply" with RFC 6176 (in
> case someone complains about mod_ssl dropping support for a clearly
> outdated and insecure protocol).
> 
> Kaspar
> 

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515  2EA5 4B1D 9E08 A097 C9AE


Mime
View raw message