On Friday 17 of October 2014, Kaspar Brand wrote: > On 17.10.2014 12:02, Takashi Sato wrote: > > SSLv3 is now insecure (CVE-2014-3566, POODLE) > > Let's disable SSLv3 by default, at least trunk. > > > > SSLProtocol default is "all". > > <http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslprotocol> > > "all" means "a shortcut for ``+SSLv3 +TLSv1'' or - when using OpenSSL > > 1.0.1 and later - ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively." > > > > Should we remove SSLv3 from "all" ? > > From a semantic point of view, I wouldn't do that. As long as we still > allow SSLv3 to be used, "all" should really mean "all protocols which > can be enabled in mod_ssl".
Then add "safe" option (leaving "all" as is) and make "safe" default. safe would point to known safe protocols at release time. > Kaspar -- Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )