...at long last (but I don't understand everything--see below).

On Sat, 2015-01-17 at 17:07 +0100, Andre Speelmans wrote:
> > Thanks for the suggestion.  Changing the min (and fallback-limit,
> > because I didn't know what that did) to 10 does not cause a failure to
> > connect.  So either (a) the server change didn't take or (b) the browser
> > change didn't take or (c) I need to do something else in the browser to
> > force SSLv3.
> Test the browser with those setting against a server that you know has
> no POODLE vulnerability?

It turns out, for reasons I haven't figured out, that changing the
SSLProtocol line in /etc/httpd/conf.d/ssl.conf from 

        SSLProtocol All -SSLv2


        SSLProtocol All -SSLv2 -SSLv3

doesn't seem to disable the SSLv3 protocol, as advertised.  Instead, I
had to add the second version to the configuration for one of my vhosts
that supports https protocol.  I put it below the line

        SSLEngine on

inside the <VirtualHost *:443> block and then it worked fine.

Not sure why it doesn't work in ssl.mod or how I was supposed to figure
it out, but at least now it's working.

It occurs to me that this might be an issue with the order in which
files in /etc/httpd/conf.d are read: the vhost file is alphabetically
earlier than ssl.conf.  If that's correct, then maybe those files should
be named like the files in /etc/init.d, with prefix numbers to force an
ordering on them?

Thanks for the help.
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
users mailing list
To unsubscribe or change subscription options:
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Reply via email to