On Mon, Sep 28, 2015 at 7:53 AM, Graham Leggett <[email protected]> wrote:
> On 28 Sep 2015, at 2:46 PM, Eric Covener <[email protected]> wrote: > > >> + ylavic: Should we really change the (implicit) default in 2.4.x at > >> + this stage (and potentially break existing configuratios > w/o > >> + SSLProtocol which used to work with SSLv3 only capable > clients)? > > > > I think the right thing to do here is to break them. > > There are two ways to look at this: > > - The existence of SSLv3 is a security hole, and for the security hole to > be fixed, it must be removed from httpd. > > - The existence of SSLv3 is a security hole, but the fix may DoS people. > Emit loud warnings on startup that SSLv3 should be removed from the config > (and possibly that SSLv3 will be removed completely in future patch release > Y). > By which we mean TTLv1.0/SSLv3 because there is so little technical difference between them. Strongly -1 to "fixing" SSLv3 unless we apply the identical change to TLSv1.0. I am so strongly torn in both directions that I'm unable to offer a single opinion. My only thought is that if updating to 2.4.18 "breaks things" - that tarnishes our reputation, leaving an unwise protocol enabled "by default" - also tarnishes our reputation. The only thing that bends my opinion slightly is that - if we discourage users to move to 2.4.18 by making it harder to keep their entire systems operational - we grow another stagnant pool of "httpd 1.3"-style users out there in perpetuity.
