Am 20.10.2014 um 19:17 schrieb wr...@rowe-clan.net:
Is this a responsible recommendation, though?  Does TLSv1.0 offer any
significant improvement over SSLv3.0 that HTTP server project endorses?
Can or should 'we' officially designate SSLv3 as undesirable without
making the same recommendation for TLSv1.0?

from a technical and security point of view: yes
at this time you don't want it on the admin side

there are way too much systems not supporting TLS1.1/1.2

It seems to me that SAFE at this time is TLSv1.1 TLSv1.2.
It also seems to me that the first problem to solve is to ensure if the user
removes SSLv3 (+/- TLSv1.0) from their openssl installed binary, that we
simply respect that.  In that case, 'SSLProtocol all' should be just the
remaining supported TLSv1.1 and TLSv1.2 protocols

disable only SSL3 would make things much better without the impact auf disable TLS1.0 - spoken as admin: i (or we) need to draw some line

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to