Bug#765347: Disable SSLv3 in default config

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#765347: Disable SSLv3 in default config
From: Thijs Kinkhorst <thijs@debian.org>
Date: Tue, 14 Oct 2014 13:06:28 +0200
Message-id: <[🔎] 20141014110628.539.63042.reportbug@aphrodite.kinkhorst.nl>
Reply-to: Thijs Kinkhorst <thijs@debian.org>, 765347@bugs.debian.org

Package: apache2
Version: 2.4.10-5
Severity: wishlist

Hi,

The shipped mods-available/ssl.conf now contains:

        #   The protocols to enable.
        #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
        #   SSL v2  is no longer supported
        SSLProtocol all

I propose to change that to !SSLv3.
This protocol version is long deprecated and only required to suport
rare and insecure platforms like IE6 on XP. Those that really need it
can enable it, but having it disabled would be a sane default for Jessie.


Cheers,
Thijs

Reply to:

Follow-Ups:
- Bug#765347: marked as done (Disable SSLv3 in default config)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: UID bug in mod SSL
Next by Date: Bug#765347: Disable SSLv3 in default config
Previous by thread: UID bug in mod SSL
Next by thread: Bug#765347: marked as done (Disable SSLv3 in default config)
Index(es):
- Date
- Thread