On 14.11.2011 15:46, William A. Rowe Jr. wrote: > Isn't it similarly time to deploy SSLProtocol -SSLv2 by default?
Oh yes, definitely. I didn't realize that "all" is still the default for SSLProtocol... for trunk and 2.4, I would suggest to change the defaults in the code. In decreasing order of preference: - completely drop SSLv2 support - change the default (in modssl_ctx_init) to SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_SSLV2 The first option also means that we would "comply" with RFC 6176 (in case someone complains about mod_ssl dropping support for a clearly outdated and insecure protocol). Kaspar
