httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mikhail T." <mi+t...@aldan.algebra.com>
Subject Older clients stopped working after server disabled SSLv3
Date Tue, 28 Oct 2014 22:58:25 GMT
Hello!

After disabling SSLv3:

    SSLOptions ALL -SSLv3

we noticed, that curl itself and libcurl-using programs (such as git) stopped
working on some of the (older) systems -- such as RHEL5 -- when invoked against
the https-URLs pointing at the reconfigured servers.

Invoking curl with the -1 option (a.k.a. --tlsv1) worked, but without the option
curl kept failing -- complaining about SSL protocol error. Unfortunately, there
is no way to propagate that option through git to the underlying libcurl...

On newer systems (RHEL6, FreeBSD9), things are fine, but we have a substantial
number of those old ones and need a solution...

I was able to find this question:

    http://serverfault.com/questions/637880/disabling-sslv3-but-still-supporting-sslv2hello-in-apache/

and a patch linked to from one of the answers:

    http://pastebin.com/Nvat7xTy

I can confirm, that the patch "works" -- curl and git started working after I
restarted the rebuilt httpd. And running sslscan against the patched server
continues to list the "bad" SSLv3 as disabled.

Could somebody, perhaps, begin reviewing it and/or comment even before it is
formally filed with Bugzilla? I searched there, but could not find anything
relevant... Thanks! Yours,

    -mi


Mime
View raw message