Without explicitly disabling TLS 1.0 and 1.1, doesn't that open the config up to TLS downgrade attacks? Just because RC4 is disabled isn't enough to patch up old TLS protocol versions. It should be using 1.2 minimum.
On Thu, 22 Oct 2020 at 09:30, Sam Ruby <ru...@intertwingly.net> wrote: > > On Thu, Oct 22, 2020 at 9:21 AM sebb <seb...@gmail.com> wrote: > > > > whimsy-vm*.yaml have: > > apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3'] > > > > AFAICT this overrides the default, which is > > > > apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3', '-TLSv1', > > '-TLSv1.1'] > > > > Is there a reason for the override? > > This change was made by the infrastructure team: > > https://github.com/apache/infrastructure-puppet/commit/b9b1a54e603eb9cd0a12a2ac782041bc06cf09d7 > > > S > > - Sam Ruby -- Matt Sicker <boa...@gmail.com>
