Yup, that's correct. http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols SSLv3 is /currently/ enabled by default.
On Fri, Oct 31, 2014 at 9:37 AM, Thijs Kinkhorst <th...@debian.org> wrote: > Hi Thomas, > > On Fri, October 31, 2014 12:48, Thomas Ward (Dark-Net) wrote: >> fixed 1.6.2-3 >> thanks >> >> Confirmed: This was done already. The commit this was done in was >> this one: >> http://anonscm.debian.org/cgit/collab-maint/nginx.git/commit/?id=9a4e0f0a698bee2b03b7f417ad9286e5eb22141e > > Thanks. That's certainly an improvement. > > It seems though that from reading the code, that if you omit an explicit > "ssl_protocols" declaration in your config, you will still get SSLv3. Is > that correct? > > > Cheers, > Thijs > -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org