On Wed, 2 Mar 2016 15:33:29 +0100 Martin <[email protected]> wrote:
> For httpd the spec says > > SSLCipherSuite > 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA' I'm not exactly sure what the camellia crap is doing there and this looks fishy and overly complicated to me in many ways, but anyway: > where it is the :+SSLv3: part that to me looks like it is enabled > despite the Welcome to the confusion of TLS. Don't be ashamed, I asked almost the same question somewhere some years ago, don't remember where. +SSlv3 enables the cipher suites that are available in SSLv3. The thing is: these are largely the same as the ones used in later protocol versions. Thefore that doesn't mean you're supporting SSLv3, it just means you're supporting the cipher suites that were supported in SSLv3 and are also supported in later versions. > SSLProtocol All -SSLv2 -SSLv3 This is the right thing to do and will prevent all SSLv2/SSLv3 connections. -- Hanno Böck https://hboeck.de/ mail/jabber: [email protected] GPG: BBB51E42
pgpiHaniyqj5H.pgp
Description: OpenPGP digital signature
_______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
