On Wed, Oct 29, 2014 at 2:52 PM, Mikhail T. <mi+t...@aldan.algebra.com> wrote: > On 29.10.2014 04:37, Yann Ylavic wrote: >> >> Forgot to mention the OP reproducer, that is with "SSLProtocol ALL >> -SSLv3" (with or without the patch), both SSLv2Hello and SSLv3Hello >> (version SSLv3) are refused by httpd. > > But if "ALL" is replaced with "ANY", then the (patched) server will be > willing to advise the connecting clients to talk TLS, right?
Right, since the only protocols remaining are TLSv1.x (SSLv2 is forcibly disabled in 2.4.x). ANY is to be seen as "ALL +SSLv2Hello", maybe SSLv2Hello would be a clearer keywork, but IMHO it couldn't be included to ALL w/o breaking (some) configuration. Since ALL not including SSLv2Hello looked weird to me, I proposed the ANY semantic... I'm quite open on the terms, though. > > That would solve our problem, though some may wonder about the subtle > differences between "any" and "all" :-) More seriously, it would also make > the config-files incompatible with earlier httpd-releases -- whereas the > patch I linked to does not have this problem. ANY is not meant to replace ALL, the latter would still exist and do the same thing as before. Just using "ANY -SSLv3" *instead of* "ALL -SSLv3" would do the trick for you, and not change the existing configurations pleased with the current meaning of ALL. > > But if your patch is going to be part of the next release, I'll proceed to > building the (patched) 2.4.10 here ahead of time -- corporate Information > Security are quite nervous about us still allowing SSLv3... Using my patch, "SSLProtocol ANY -SSLv3" should be enough. It is less intrusive than using SSLv23 inconditionaly (ie. does not break "SSLProtocol TLSv1.2" where really TLSv1.2 only is to be allowed from the first ClientHello). Regards, Yann.
