On 17.10.2014 19:25, Kaspar Brand wrote: > On 17.10.2014 12:02, Takashi Sato wrote: >> SSLv3 is now insecure (CVE-2014-3566, POODLE) >> Let's disable SSLv3 by default, at least trunk. >> >> SSLProtocol default is "all". >> <http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslprotocol> >> "all" means "a shortcut for ``+SSLv3 +TLSv1'' or - when using OpenSSL >> 1.0.1 and later - ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively." >> >> Should we remove SSLv3 from "all" ? > > From a semantic point of view, I wouldn't do that. As long as we still > allow SSLv3 to be used, "all" should really mean "all protocols which > can be enabled in mod_ssl". > > I'm fine with changing the hardcoded default (in ssl_engine_config.c) to > SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_SSLV3, though.
For the record: this is part of r1703952 which I just committed to trunk (and will propose for backporting to 2.4 shortly, unless there are objections). > The other option would be to drop SSLv3 support completely, like we > currently do for SSLv2 in ssl_engine_init.c:ssl_init_ctx_protocol(). In > this case, "all" would no longer include SSLv3, of course. This is left as a next step, which I consider appropriate for trunk, at least. Kaspar
