httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <>
Subject Re: Disable SSLv3 by default
Date Fri, 17 Oct 2014 17:25:49 GMT
On 17.10.2014 12:02, Takashi Sato wrote:
> SSLv3 is now insecure (CVE-2014-3566, POODLE)
> Let's disable SSLv3 by default, at least trunk.
> SSLProtocol default is "all".
> <>
> "all" means "a shortcut for ``+SSLv3 +TLSv1'' or - when using OpenSSL
> 1.0.1 and later - ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively."
> Should we remove SSLv3 from "all" ?

>From a semantic point of view, I wouldn't do that. As long as we still
allow SSLv3 to be used, "all" should really mean "all protocols which
can be enabled in mod_ssl".

I'm fine with changing the hardcoded default (in ssl_engine_config.c) to

The other option would be to drop SSLv3 support completely, like we
currently do for SSLv2 in ssl_engine_init.c:ssl_init_ctx_protocol(). In
this case, "all" would no longer include SSLv3, of course.


View raw message