On Sep 28, 2015 1:08 PM, "Plüm, Rüdiger, Vodafone Group" < [email protected]> wrote: > > > > > -----Ursprüngliche Nachricht----- > > Von: Eric Covener [mailto:[email protected]] > > Gesendet: Montag, 28. September 2015 19:00 > > An: Apache HTTP Server Development List <[email protected]> > > Betreff: Re: svn commit: r1705618 - /httpd/httpd/branches/2.4.x/STATUS > > > > On Mon, Sep 28, 2015 at 12:33 PM, William A Rowe Jr <wrowe@rowe- > > clan.net> wrote: > > > By which we mean TTLv1.0/SSLv3 because there is so little technical > > > difference between them. > > > > AORN { > > I think there is enough difference to disable one by default and not > > the other. The final straw for SSLv3 was POODLE. But POODLE on TLS > > 1.0 was fixable/fixed. The qualsys TLS best practice doc > > differentiates them, and the scanner dings you seriously for SSLv3 and > > not at all for TLS1.0. From my own support work, anecdotally, > > commercial scan tools seem to treat things the same as qualsys. > > } > > > > +1. SSLv3 and TLS 1.0 are close, but there are some differences and the ability to prevent POODLE is (an important) one of them.
Agreed that the padding issue was the most critical. If folks really want to support TLS 1.0 and not SSLv3 as a default, I'm not going to stand in the way, but am still -0.5 on the inconsistency.
