that's right, SSLv3 is no longer secure. 2014-10-17 19:14 GMT+09:00 Reindl Harald <h.rei...@thelounge.net>:
> > Am 17.10.2014 um 12:02 schrieb Takashi Sato: > > SSLv3 is now insecure (CVE-2014-3566, POODLE) >> Let's disable SSLv3 by default, at least trunk. >> >> SSLProtocol default is "all". >> <http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslprotocol> >> "all" means "a shortcut for ``+SSLv3 +TLSv1'' or - when using OpenSSL >> 1.0.1 and later - ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively." >> >> Should we remove SSLv3 from "all"? >> > > from a users (admins) point of view: yes > > if somebody really needs it he can enable SSLv3 deliberate > what sadly not happens in many setup is disable it over years > >
