Summary: | Disable SSLv3 by default (POODLE) | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | roidelapluie |
Component: | mod_ssl | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bhanu.karumudi, petr.sumbera |
Priority: | P2 | ||
Version: | 2.5-HEAD | ||
Target Milestone: | --- | ||
Hardware: | All | ||
OS: | All | ||
Attachments: |
poodle patch (add "-SSLv3" to the SSLProtocol directive in the default configuration)
patch for 2.4 to limit SSLDirective macro 'all' to just TLS protocols |
Description
roidelapluie
2014-10-21 09:55:55 UTC
Created attachment 32131 [details]
poodle patch (add "-SSLv3" to the SSLProtocol directive in the default configuration)
Thanks -- n/a for 2.4 or later, proposed in 2.2.x for backport. It would be probably better to disable SSLv3 in binary directly and not just in ssl config file. Note that Apache 2.4 doesn't have SSLProtocol diretive in sample ssl config file. I'm proposing to limit SSL_PROTOCOL_ALL macro just fro TLS protocols. This still allows to use SSLProtocol directive and add +SSLv3 if really needed. Created attachment 32635 [details]
patch for 2.4 to limit SSLDirective macro 'all' to just TLS protocols
(In reply to Petr Sumbera from comment #3) > It would be probably better to disable SSLv3 in binary directly > I'm proposing to limit SSL_PROTOCOL_ALL macro just fro TLS protocols. I disagree with this approach, for the reason outlined in https://mail-archives.apache.org/mod_mbox/httpd-dev/201410.mbox/%3C5441511D.1070201%40velox.ch%3E. Adapting the default in ssl_engine_config.c:modssl_ctx_init() is the solution I'd suggest. Comment on attachment 32131 [details] poodle patch (add "-SSLv3" to the SSLProtocol directive in the default configuration) This was applied to 2.2.x with r1678700, and a similar change was done with the r1679987 commit for 2.4.x. Comment on attachment 32635 [details] patch for 2.4 to limit SSLDirective macro 'all' to just TLS protocols (In reply to Kaspar Brand from comment #5) > Adapting the default in ssl_engine_config.c:modssl_ctx_init() is the > solution I'd suggest. Implemented with the r1703952 trunk commit, marking this patch as obsolete therefore. (In reply to Kaspar Brand from comment #7) > Implemented with the r1703952 trunk commit Proposed for backporting to 2.4.x with r1705398. |