Commit 8fde7782 authored by Yann Ylavic's avatar Yann Ylavic
Browse files

default conf: Disable SSLv3, like SSLv2, in the default configuration.

Committed by: covener
Reviewed by: covener, ylavic, gsmith
Backported by: ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1678700 13f79535-47bb-0310-9956-ffa450edef68
parent 54d47148
Loading
Loading
Loading
Loading
+0 −5
Original line number Diff line number Diff line
@@ -101,11 +101,6 @@ RELEASE SHOWSTOPPERS:
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
  [ start all new proposals below, under PATCHES PROPOSED. ]

   * default conf: Disable SSLv3, like SSLv2, in the default configuration.
     trunk patch: n/a -- Only 2.2.x has SSLProtocol in httpd-ssl.conf.in
     2.2.x patch: https://issues.apache.org/bugzilla/attachment.cgi?id=32131     
     +1: covener, ylavic, gsmith

   * mod_ssl: Add SSLSessionTickets (on|off). [Rainer Jung]
     It controls the use of TLS session tickets (RFC 5077).
     Default is unchanged (on).
+3 −2
Original line number Diff line number Diff line
@@ -69,8 +69,9 @@ SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
 
#   SSL Protocol support:
#   List the protocol versions which clients are allowed to
#   connect with. Disable SSLv2 by default (cf. RFC 6176).
SSLProtocol all -SSLv2
#   connect with. Disable SSLv2 (cf. RFC 6176) and SSLv3
#   (cf. RFC 7525 and CVE 2014-3566).
SSLProtocol all -SSLv2 -SSLv3

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.