I have verified that apache2 2.4.12-2ubuntu2 (in Vivid and Wily) ships
with:
SSLProtocol all -SSLv3
I'm with Seth in that retrospectively updating existing 14.04
deployments risks breaking users. Even if we could update only fresh
installs of 14.04, that would be particularly confusing an
I don't think we will want to push updates to disable ssl3 on existing
systems, and I'm not sure how feasible it would be to push an update
that only modifies the defaults for brand-new installs. I suspect the
only thing to be done for 14.04 LTS is to educate system administrators
about the risks o