Bug#765347: Disable SSLv3 in default config
Package: apache2
Version: 2.4.10-5
Severity: wishlist
Hi,
The shipped mods-available/ssl.conf now contains:
# The protocols to enable.
# Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
# SSL v2 is no longer supported
SSLProtocol all
I propose to change that to !SSLv3.
This protocol version is long deprecated and only required to suport
rare and insecure platforms like IE6 on XP. Those that really need it
can enable it, but having it disabled would be a sane default for Jessie.
Cheers,
Thijs
Reply to: