Older clients stopped working after server disabled SSLv3

2014-10-28 Thread Mikhail T.
Hello! After disabling SSLv3: SSLOptions ALL -SSLv3 we noticed, that curl itself and libcurl-using programs (such as git) stopped working on some of the (older) systems -- such as RHEL5 -- when invoked against the https-URLs pointing at the reconfigured servers. Invoking curl with the -1

Re: Older clients stopped working after server disabled SSLv3

2014-10-28 Thread Eric Covener
On Tue, Oct 28, 2014 at 6:58 PM, Mikhail T. mi+t...@aldan.algebra.com wrote: Hello! After disabling SSLv3: SSLOptions ALL -SSLv3 we noticed, that curl itself and libcurl-using programs (such as git) stopped working on some of the (older) systems -- such as RHEL5 -- when invoked against

Re: Older clients stopped working after server disabled SSLv3

2014-10-28 Thread Eric Covener
On Tue, Oct 28, 2014 at 9:15 PM, Eric Covener cove...@gmail.com wrote: There is an older/pre-poodle PR out there somewhere where the symptom seems to be the v2hello/v2open disappearing with -SSLv3. ​I can't find it though -- Jeff?

Timeout 300 in default httpd.conf?

2014-10-28 Thread Eric Covener
Is 300 good for anyone? The hard-coded default is 60 which seems awfully high to me already. -- Eric Covener cove...@gmail.com

Re: Older clients stopped working after server disabled SSLv3

2014-10-28 Thread Yann Ylavic
On Wed, Oct 29, 2014 at 2:15 AM, Eric Covener cove...@gmail.com wrote: They had a year-old httpd2.4 from EPEL / RH software collections but it's built against an old openssl, so it isn't aware of tls1.1 and tls1.2 and that same block of code ends up locking you into exactly TLSv1.0 once you

Re: Older clients stopped working after server disabled SSLv3

2014-10-28 Thread Eric Covener
On Tue, Oct 28, 2014 at 9:43 PM, Yann Ylavic ylavic@gmail.com wrote: Kaspar, does the v2open require sslv2method? What do you think of the patch above? I don't think so, SSLv23 seams to use the lowest non-disabled method, and we explicitely disable the ones not configured. So it

Re: Older clients stopped working after server disabled SSLv3

2014-10-28 Thread Yann Ylavic
On Wed, Oct 29, 2014 at 2:43 AM, Yann Ylavic ylavic@gmail.com wrote: Maybe we should introduce another protocol keywork, namely ANY, which would opt-in SSLv23 (SSLv2Hello), and not disable single protocol configuration in any case like in the patch proposed by Mikhail. So that SSLProtocol

Re: Older clients stopped working after server disabled SSLv3

2014-10-28 Thread Yann Ylavic
On Wed, Oct 29, 2014 at 3:01 AM, Yann Ylavic ylavic@gmail.com wrote: On Wed, Oct 29, 2014 at 2:43 AM, Yann Ylavic ylavic@gmail.com wrote: Maybe we should introduce another protocol keywork, namely ANY, which would opt-in SSLv23 (SSLv2Hello), and not disable single protocol