httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Takashi Sato <taka...@tks.st>
Subject Disable SSLv3 by default
Date Fri, 17 Oct 2014 10:02:12 GMT
SSLv3 is now insecure (CVE-2014-3566, POODLE)
Let's disable SSLv3 by default, at least trunk.

SSLProtocol default is "all".
<http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslprotocol>
"all" means "a shortcut for ``+SSLv3 +TLSv1'' or - when using OpenSSL
1.0.1 and later - ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively."

Should we remove SSLv3 from "all" ?

Mime
View raw message