httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arkadiusz Miśkiewicz <ar...@maven.pl>
Subject Re: Disable SSLv3 by default
Date Fri, 17 Oct 2014 18:57:14 GMT
On Friday 17 of October 2014, Kaspar Brand wrote:
> On 17.10.2014 12:02, Takashi Sato wrote:
> > SSLv3 is now insecure (CVE-2014-3566, POODLE)
> > Let's disable SSLv3 by default, at least trunk.
> > 
> > SSLProtocol default is "all".
> > <http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslprotocol>
> > "all" means "a shortcut for ``+SSLv3 +TLSv1'' or - when using OpenSSL
> > 1.0.1 and later - ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively."
> > 
> > Should we remove SSLv3 from "all" ?
> 
> From a semantic point of view, I wouldn't do that. As long as we still
> allow SSLv3 to be used, "all" should really mean "all protocols which
> can be enabled in mod_ssl".

Then add "safe" option (leaving "all" as is) and make "safe" default. safe 
would point to known safe protocols at release time.

> Kaspar


-- 
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

Mime
View raw message