httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leif Hedstrom <zw...@apache.org>
Subject Re: disable SSLv3 the same way SSLv2 was disabled in mod_ssl
Date Fri, 02 Jan 2015 19:38:29 GMT
We disabled SSLv3 in the defaults for Traffic Server as well. It's still available to be explicitly
turned on though.

-- Leif 



> On Jan 2, 2015, at 12:18 PM, olli hauer <ohauer@gmx.de> wrote:
> 
>> On 2015-01-02 19:31, Tim Bannister wrote:
>>> On 2 Jan 2015, at 18:18, olli hauer <ohauer@gmx.de> wrote:
>>> 
>>> Hi,
>>> 
>>> is there a special reason to keep SSLv3 support on current httpd version (CVE-2014-3566
POODLE attack) ?
>> 
>> See the previous thread starting at http://tinyurl.com/ouyk2cd
>> 
>> My summary:
>> As you note, major browsers have already disabled SSLv3. It's easy to configure httpd
not to offer SSLv3 (and this makes a good default for new installs).
> 
> Thanks for the pointer!
> 
> After reading the thread it seems no real decision was found (keep SSLv3 but exclude
from ALL or drop SSLv3 at all)
> 
> Anyway searching by the subject of the thread gives some results of projects (tomcat
apache bug_id 53952, eclipse bug_id 447381, theforeman bug_id 8282 and others) that acted
and already removed SSLv3 support.
> 
> -- 
> olli

Mime
View raw message