We disabled SSLv3 in the defaults for Traffic Server as well. It's still available to be explicitly turned on though.
-- Leif > On Jan 2, 2015, at 12:18 PM, olli hauer <[email protected]> wrote: > >> On 2015-01-02 19:31, Tim Bannister wrote: >>> On 2 Jan 2015, at 18:18, olli hauer <[email protected]> wrote: >>> >>> Hi, >>> >>> is there a special reason to keep SSLv3 support on current httpd version >>> (CVE-2014-3566 POODLE attack) ? >> >> See the previous thread starting at http://tinyurl.com/ouyk2cd >> >> My summary: >> As you note, major browsers have already disabled SSLv3. It's easy to >> configure httpd not to offer SSLv3 (and this makes a good default for new >> installs). > > Thanks for the pointer! > > After reading the thread it seems no real decision was found (keep SSLv3 but > exclude from ALL or drop SSLv3 at all) > > Anyway searching by the subject of the thread gives some results of projects > (tomcat apache bug_id 53952, eclipse bug_id 447381, theforeman bug_id 8282 > and others) that acted and already removed SSLv3 support. > > -- > olli
