> -----Original Message----- > From: Jan Kaluža > Sent: Dienstag, 21. Juli 2015 14:35 > To: [email protected] > Subject: mod_ssl: How to react on default OpenSSL SSL_CTX_set_options? > > Hi, > > in Fedora, OpenSSL maintainers are setting SSL_OP_NO_SSLv2 and > SSL_OP_NO_SSLv3 options by default [1]. > > This disables both SSLv2 and SSLv3 by default in the SSLv23_method(), > which is what mod_ssl uses when more than one version is requested. > > The side effect of this change in OpenSSL is that some configurations > that attempt to explicitly enable SSLv3 don't work correctly. While > this enables SSLv3, as it uses SSLv3_method: > > SSLProtocol +SSLv3 > > the following two do not work: > > SSLProtocol +SSLv3 +TLSv1 > SSLProtocol all -TLSv1.1 -TLSv1.2 > > We have following options now: > > 1. Clear the SSL_OP_NO_SSLvX flags when there is "+SSLvX". It means > doing something like: > > if (!(protocol & SSL_PROTOCOL_SSLV3)) { > SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3); > } else { > SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv3); > } > > That overwrites the defaults set by the OpenSSL. > > 2. Same as 1., but print a warning we are overwriting the system OpenSSL > settings.
I would go for 2. Regards Rüdiger
