On Sat, Sep 19, 2015 at 4:05 AM, Kaspar Brand <httpd-dev.2...@velox.ch> wrote:
> On 17.10.2014 19:25, Kaspar Brand wrote: > > On 17.10.2014 12:02, Takashi Sato wrote: > >> SSLv3 is now insecure (CVE-2014-3566, POODLE) > >> Let's disable SSLv3 by default, at least trunk. > >> > >> SSLProtocol default is "all". > >> <http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslprotocol> > >> "all" means "a shortcut for ``+SSLv3 +TLSv1'' or - when using OpenSSL > >> 1.0.1 and later - ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively." > >> > >> Should we remove SSLv3 from "all" ? > > > > From a semantic point of view, I wouldn't do that. As long as we still > > allow SSLv3 to be used, "all" should really mean "all protocols which > > can be enabled in mod_ssl". > > > > I'm fine with changing the hardcoded default (in ssl_engine_config.c) to > > SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_SSLV3, though. > > For the record: this is part of r1703952 which I just committed to trunk > (and will propose for backporting to 2.4 shortly, unless there are > objections). > > > The other option would be to drop SSLv3 support completely, like we > > currently do for SSLv2 in ssl_engine_init.c:ssl_init_ctx_protocol(). In > > this case, "all" would no longer include SSLv3, of course. > > This is left as a next step, which I consider appropriate for trunk, at > least. > Trunk, yes. POLS says no, not 2.4, no matter how 'clean' that solution seems. You cannot break users migrating across a subversion bump. You are welcome to scream at them in their error log that an ill-advised protocol has been requested, as long as it is non-fatal.
