On 18.11.2011 06:32, Kaspar Brand wrote:
As I can't think of any good reason why a new major version of an HTTPS
server released in late 2011 should still support insecure SSL protocol
cruft from the 1990s (v2 was superseded about 15 years ago, when SSLv3
was introduced), I went for the first option and completely dropped
SSLv2 support with r1203491/r1203495 in trunk and 2.4, respectively.
For the SSLProtocol directive, specifying "-SSLv2" is still permitted,
but basically just for backward compatibility with the relatively
popular "SSLProtocol all -SSLv2" incantation (technically, the code
simply ignores "-SSLv2", as it is now always forced to off).
You might want to drop the -SSLv2 from our SSLCipherSuite in
docs/conf/extra/httpd-ssl.conf.in then as well.
Rainer
