Hello everyone!
I originally asked back in June 2014 if there was a config to turn off
SSL3 because at that time offering SSL3 connections resulted in failing
my PCI-DSS compliance. Gilles kindly and rationally replied:
Gilles Chehade wrote, On 06/08/14 05:40:
> no, we don't want to make this tunable.
>
> the rationale is that we want to propose the best encryption by default.
> if there is a better choice, it should be proposed and discussed openly
> as it should become the new default.
>
> yes, it's tempting to provide ssl_ciphers but unless there's a very good
> reason to do it, we won't introduce this new knob.
Fortunately, SSLv3 was disabled a few months later; problem solved.
So this feels like déjà vu. Again, I'm failing my PCI compliance due to
my public mail server offering a "vulnerable" protocol—this time, TLS 1.0.
Are there plans to disable TLSv1?
Would removing support for TLSv1 align with the goal of "the best
encryption by default."
Thanks,
Clint
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
