On 2015-01-02 19:31, Tim Bannister wrote: > On 2 Jan 2015, at 18:18, olli hauer <[email protected]> wrote: >> >> Hi, >> >> is there a special reason to keep SSLv3 support on current httpd version >> (CVE-2014-3566 POODLE attack) ? > > See the previous thread starting at http://tinyurl.com/ouyk2cd > > My summary: > As you note, major browsers have already disabled SSLv3. It's easy to > configure httpd not to offer SSLv3 (and this makes a good default for new > installs). >
Thanks for the pointer! After reading the thread it seems no real decision was found (keep SSLv3 but exclude from ALL or drop SSLv3 at all) Anyway searching by the subject of the thread gives some results of projects (tomcat apache bug_id 53952, eclipse bug_id 447381, theforeman bug_id 8282 and others) that acted and already removed SSLv3 support. -- olli
