On 29.10.2014 04:37, Yann Ylavic wrote: > Forgot to mention the OP reproducer, that is with "SSLProtocol ALL > -SSLv3" (with or without the patch), both SSLv2Hello and SSLv3Hello > (version SSLv3) are refused by httpd. But if "ALL" is replaced with "ANY", then the (patched) server will be willing to advise the connecting clients to talk TLS, right?
That would solve our problem, though some may wonder about the subtle differences between "any" and "all" :-) More seriously, it would also make the config-files incompatible with earlier httpd-releases -- whereas the patch I linked to does not have this problem. But if your patch is going to be part of the next release, I'll proceed to building the (patched) 2.4.10 here ahead of time -- corporate Information Security are quite nervous about us still allowing SSLv3... Thanks! Yours, -mi