httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: Disable SSLv3 by default
Date Mon, 20 Oct 2014 17:28:08 GMT

Am 20.10.2014 um 19:17 schrieb wrowe@rowe-clan.net:
> Is this a responsible recommendation, though?  Does TLSv1.0 offer any
> significant improvement over SSLv3.0 that HTTP server project endorses?
> Can or should 'we' officially designate SSLv3 as undesirable without
> making the same recommendation for TLSv1.0?

from a technical and security point of view: yes
at this time you don't want it on the admin side

there are way too much systems not supporting TLS1.1/1.2

> It seems to me that SAFE at this time is TLSv1.1 TLSv1.2.
> It also seems to me that the first problem to solve is to ensure if the user
> removes SSLv3 (+/- TLSv1.0) from their openssl installed binary, that we
> simply respect that.  In that case, 'SSLProtocol all' should be just the
> remaining supported TLSv1.1 and TLSv1.2 protocols

disable only SSL3 would make things much better without the impact auf 
disable TLS1.0 - spoken as admin: i (or we) need to draw some line


Mime
View raw message