On 17.10.2014 12:02, Takashi Sato wrote: > SSLv3 is now insecure (CVE-2014-3566, POODLE) > Let's disable SSLv3 by default, at least trunk. > > SSLProtocol default is "all". > <http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslprotocol> > "all" means "a shortcut for ``+SSLv3 +TLSv1'' or - when using OpenSSL > 1.0.1 and later - ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively." > > Should we remove SSLv3 from "all" ?
>From a semantic point of view, I wouldn't do that. As long as we still allow SSLv3 to be used, "all" should really mean "all protocols which can be enabled in mod_ssl". I'm fine with changing the hardcoded default (in ssl_engine_config.c) to SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_SSLV3, though. The other option would be to drop SSLv3 support completely, like we currently do for SSLv2 in ssl_engine_init.c:ssl_init_ctx_protocol(). In this case, "all" would no longer include SSLv3, of course. Kaspar
