Am 20.10.2014 um 19:17 schrieb wr...@rowe-clan.net:
Is this a responsible recommendation, though? Does TLSv1.0 offer any significant improvement over SSLv3.0 that HTTP server project endorses? Can or should 'we' officially designate SSLv3 as undesirable without making the same recommendation for TLSv1.0?
from a technical and security point of view: yes at this time you don't want it on the admin side there are way too much systems not supporting TLS1.1/1.2
It seems to me that SAFE at this time is TLSv1.1 TLSv1.2. It also seems to me that the first problem to solve is to ensure if the user removes SSLv3 (+/- TLSv1.0) from their openssl installed binary, that we simply respect that. In that case, 'SSLProtocol all' should be just the remaining supported TLSv1.1 and TLSv1.2 protocols
disable only SSL3 would make things much better without the impact auf disable TLS1.0 - spoken as admin: i (or we) need to draw some line
signature.asc
Description: OpenPGP digital signature