On 28 Sep 2015, at 2:46 PM, Eric Covener <[email protected]> wrote: >> + ylavic: Should we really change the (implicit) default in 2.4.x at >> + this stage (and potentially break existing configuratios w/o >> + SSLProtocol which used to work with SSLv3 only capable >> clients)? > > I think the right thing to do here is to break them.
There are two ways to look at this: - The existence of SSLv3 is a security hole, and for the security hole to be fixed, it must be removed from httpd. - The existence of SSLv3 is a security hole, but the fix may DoS people. Emit loud warnings on startup that SSLv3 should be removed from the config (and possibly that SSLv3 will be removed completely in future patch release Y). Regards, Graham —
