httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: Improving SSL config
Date Mon, 14 Nov 2011 17:41:44 GMT
On 14.11.2011 15:46, William A. Rowe Jr. wrote:
> Isn't it similarly time to deploy SSLProtocol -SSLv2 by default?

Oh yes, definitely. I didn't realize that "all" is still the default for
SSLProtocol... for trunk and 2.4, I would suggest to change the defaults
in the code. In decreasing order of preference:

- completely drop SSLv2 support

- change the default (in modssl_ctx_init) to
  SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_SSLV2

The first option also means that we would "comply" with RFC 6176 (in
case someone complains about mod_ssl dropping support for a clearly
outdated and insecure protocol).

Kaspar

Mime
View raw message