httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: Disable SSLv3 by default
Date Fri, 17 Oct 2014 10:14:30 GMT

Am 17.10.2014 um 12:02 schrieb Takashi Sato:
> SSLv3 is now insecure (CVE-2014-3566, POODLE)
> Let's disable SSLv3 by default, at least trunk.
>
> SSLProtocol default is "all".
> <http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslprotocol>
> "all" means "a shortcut for ``+SSLv3 +TLSv1'' or - when using OpenSSL
> 1.0.1 and later - ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively."
>
> Should we remove SSLv3 from "all"?

from a users (admins) point of view: yes

if somebody really needs it he can enable SSLv3 deliberate
what sadly not happens in many setup is disable it over years


Mime
View raw message