--------- Original Message --------- Subject: Re: Disable SSLv3 by default
From: "Arkadiusz Miśkiewicz" <ar...@maven.pl>
Date: 10/17/14 1:57 pm
To: dev@httpd.apache.org

On Friday 17 of October 2014, Kaspar Brand wrote:
 > On 17.10.2014 12:02, Takashi Sato wrote:
 > > SSLv3 is now insecure (CVE-2014-3566, POODLE)
 > > Let's disable SSLv3 by default, at least trunk.
 > > 
 > > SSLProtocol default is "all".
 > > <http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslprotocol>
 > > "all" means "a shortcut for ``+SSLv3 +TLSv1'' or - when using OpenSSL
 > > 1.0.1 and later - ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively."
 > > 
 > > Should we remove SSLv3 from "all" ?
 > 
 > From a semantic point of view, I wouldn't do that. As long as we still
 > allow SSLv3 to be used, "all" should really mean "all protocols which
 > can be enabled in mod_ssl".

 Then add "safe" option (leaving "all" as is) and make "safe" default. safe 
 would point to known safe protocols at release time.
  
Is this a responsible recommendation, though?  Does TLSv1.0 offer any
significant improvement over SSLv3.0 that HTTP server project endorses?
Can or should 'we' officially designate SSLv3 as undesirable without
making the same recommendation for TLSv1.0?
 
It seems to me that SAFE at this time is TLSv1.1 TLSv1.2.
 
It also seems to me that the first problem to solve is to ensure if the user
removes SSLv3 (+/- TLSv1.0) from their openssl installed binary, that we
simply respect that.  In that case, 'SSLProtocol all' should be just the
remaining supported TLSv1.1 and TLSv1.2 protocols.

Reply via email to