[Ach] Looks like SSLv3 is enabled for httpd in spec?

Hanno Böck hanno at hboeck.de
Wed Mar 2 15:41:02 CET 2016

On Wed, 2 Mar 2016 15:33:29 +0100
Martin <rc6encrypted at gmail.com> wrote:

> For httpd the spec says
> SSLCipherSuite

I'm not exactly sure what the camellia crap is doing there and this
looks fishy and overly complicated to me in many ways, but anyway:

> where it is the :+SSLv3: part that to me looks like it is enabled
> despite the

Welcome to the confusion of TLS. Don't be ashamed, I asked almost the
same question somewhere some years ago, don't remember where.

+SSlv3 enables the cipher suites that are available in SSLv3. The thing
is: these are largely the same as the ones used in later protocol
versions. Thefore that doesn't mean you're supporting SSLv3, it just
means you're supporting the cipher suites that were supported in SSLv3
and are also supported in later versions.

> SSLProtocol All -SSLv2 -SSLv3

This is the right thing to do and will prevent all SSLv2/SSLv3

Hanno Böck

mail/jabber: hanno at hboeck.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20160302/5c446e65/attachment.sig>

More information about the Ach mailing list