On 29.10.2014 04:37, Yann Ylavic wrote:
> Forgot to mention the OP reproducer, that is with "SSLProtocol ALL
> -SSLv3" (with or without the patch), both SSLv2Hello and SSLv3Hello
> (version SSLv3) are refused by httpd.
But if "ALL" is replaced with "ANY", then the (patched) server will be
willing to advise the connecting clients to talk TLS, right?
That would solve our problem, though some may wonder about the subtle
differences between "any" and "all" :-) More seriously, it would also
make the config-files incompatible with earlier httpd-releases --
whereas the patch I linked to does not have this problem.
But if your patch is going to be part of the next release, I'll proceed
to building the (patched) 2.4.10 here ahead of time -- corporate
Information Security are quite nervous about us still allowing SSLv3...
Thanks! Yours,
-mi
