Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7594E1787D for ; Fri, 17 Oct 2014 18:57:44 +0000 (UTC) Received: (qmail 89194 invoked by uid 500); 17 Oct 2014 18:57:43 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 89139 invoked by uid 500); 17 Oct 2014 18:57:43 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 89125 invoked by uid 99); 17 Oct 2014 18:57:43 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 17 Oct 2014 18:57:43 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of arekm@maven.pl designates 209.85.212.173 as permitted sender) Received: from [209.85.212.173] (HELO mail-wi0-f173.google.com) (209.85.212.173) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 17 Oct 2014 18:57:38 +0000 Received: by mail-wi0-f173.google.com with SMTP id fb4so2855835wid.6 for ; Fri, 17 Oct 2014 11:57:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=maven.pl; s=maven; h=from:to:subject:date:user-agent:references:in-reply-to:mime-version :content-type:content-transfer-encoding:message-id; bh=e6ehAxkAqLl7UHQZyqU7DaAtkjhTG2GH8mkG/8TZwQw=; b=l6+I1/RXS8/rEg+ImQVZ/T7CZJnKVq9DsNRuA2t0qfTaFmz+gRVIw2jrcsS7aYLQbJ LgcmiqnWywpX9EhtFCp1M1oqgg7tlrwNUM6wm9KPWi/sSkVHY2BOcAzvAH1lMhsEy+gc WHdvK8vFNo2aW44Vb1qs3tNdo7RnqaOTwSwLA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:user-agent:references :in-reply-to:mime-version:content-type:content-transfer-encoding :message-id; bh=e6ehAxkAqLl7UHQZyqU7DaAtkjhTG2GH8mkG/8TZwQw=; b=kYA9jSfIuGPacS5uPVRYC/xlLBSYxr7H9aiGoawHoeMa2ii45rfRg96h/+9WmeiUcw 0bTDTDu42h4VotF+u2TXi4sVdtUreStIICPAL2f6XldjNev5k5+rI9WSmyMgHYPyMku6 FQqSwyR+P4z/AKlQUCpwaNPoe0o4Yd1KEHti1wNysY230JyHoBMVog4LjEed/E8bNe+6 Xih8BOXJbLhoEP1bc0OAcIazkpupDzruXOUMmuXOrzgr0JsgsJBdN0QCXhGowV8GTaY8 PbA/bPHyFSEh1R13ar8SmmfSPl6KkMwkqXVaVI/WQ8EGrHgZBETqS01L+qcl3dL2vtxD 2fCQ== X-Gm-Message-State: ALoCoQm14sNHDETXp2wzEmyRNPmA10Uvq8dBMq5hYtGHXb9OhskNAQ6M4xGwtS5+bmHcciPNVBhv X-Received: by 10.194.193.3 with SMTP id hk3mr12758616wjc.23.1413572236756; Fri, 17 Oct 2014 11:57:16 -0700 (PDT) Received: from t400.localnet (85-222-71-204.home.aster.pl. [85.222.71.204]) by mx.google.com with ESMTPSA id ny6sm429950wic.22.2014.10.17.11.57.15 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Oct 2014 11:57:15 -0700 (PDT) From: Arkadiusz =?utf-8?q?Mi=C5=9Bkiewicz?= To: dev@httpd.apache.org Subject: Re: Disable SSLv3 by default Date: Fri, 17 Oct 2014 20:57:14 +0200 User-Agent: KMail/1.13.7 (Linux/3.16.4; KDE/4.14.2; x86_64; ; ) References: <5441511D.1070201@velox.ch> In-Reply-To: <5441511D.1070201@velox.ch> MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <201410172057.14850.arekm@maven.pl> X-Virus-Checked: Checked by ClamAV on apache.org On Friday 17 of October 2014, Kaspar Brand wrote: > On 17.10.2014 12:02, Takashi Sato wrote: > > SSLv3 is now insecure (CVE-2014-3566, POODLE) > > Let's disable SSLv3 by default, at least trunk. > >=20 > > SSLProtocol default is "all". > > > > "all" means "a shortcut for ``+SSLv3 +TLSv1'' or - when using OpenSSL > > 1.0.1 and later - ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively." > >=20 > > Should we remove SSLv3 from "all" ? >=20 > From a semantic point of view, I wouldn't do that. As long as we still > allow SSLv3 to be used, "all" should really mean "all protocols which > can be enabled in mod_ssl". Then add "safe" option (leaving "all" as is) and make "safe" default. safe= =20 would point to known safe protocols at release time. > Kaspar =2D-=20 Arkadiusz Mi=C5=9Bkiewicz, arekm / ( maven.pl | pld-linux.org )