httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: Disable SSLv3 by default
Date Fri, 17 Oct 2014 17:25:49 GMT
On 17.10.2014 12:02, Takashi Sato wrote:
> SSLv3 is now insecure (CVE-2014-3566, POODLE)
> Let's disable SSLv3 by default, at least trunk.
> 
> SSLProtocol default is "all".
> <http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslprotocol>
> "all" means "a shortcut for ``+SSLv3 +TLSv1'' or - when using OpenSSL
> 1.0.1 and later - ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively."
> 
> Should we remove SSLv3 from "all" ?

>From a semantic point of view, I wouldn't do that. As long as we still
allow SSLv3 to be used, "all" should really mean "all protocols which
can be enabled in mod_ssl".

I'm fine with changing the hardcoded default (in ssl_engine_config.c) to
SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_SSLV3, though.

The other option would be to drop SSLv3 support completely, like we
currently do for SSLv2 in ssl_engine_init.c:ssl_init_ctx_protocol(). In
this case, "all" would no longer include SSLv3, of course.

Kaspar

Mime
View raw message