httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: svn commit: r1705618 - /httpd/httpd/branches/2.4.x/STATUS
Date Mon, 28 Sep 2015 12:53:37 GMT
On 28 Sep 2015, at 2:46 PM, Eric Covener <covener@gmail.com> wrote:

>> +     ylavic: Should we really change the (implicit) default in 2.4.x at
>> +             this stage (and potentially break existing configuratios w/o
>> +             SSLProtocol which used to work with SSLv3 only capable clients)?
> 
> I think the right thing to do here is to break them.

There are two ways to look at this:

- The existence of SSLv3 is a security hole, and for the security hole to be fixed, it must
be removed from httpd.

- The existence of SSLv3 is a security hole, but the fix may DoS people. Emit loud warnings
on startup that SSLv3 should be removed from the config (and possibly that SSLv3 will be removed
completely in future patch release Y).

Regards,
Graham
—


Mime
View raw message