SSLProtocol all -SSLv2 -SSLv3

3 posts / 0 new

Topic locked

Last post

#1 Mon, 02/16/2015 - 07:35

jimdunn

SSLProtocol all -SSLv2 -SSLv3

Not sure which forum to post this in...

QUESTION: has openssl been fixed, so that we can fix the SSLProtocol entry in our ssl.conf file?

I have:

SSLProtocol all -SSLv2 -SSLv3

because of the openssl issue a while back.

Can I change this back to SSLProtocol all -SSLv2

???
Thx!

#2 Mon, 02/16/2015 - 12:53

jimdunn

http://tomcat.apache.org/tomcat-7.0-doc/config/http.html says that SSLv2 and v3 are unsafe.

#3 Mon, 02/16/2015 - 18:04

jimdunn

Also, here's the "Mozilla" recommended settings:

SSLProtocol All -SSLv2 -SSLv3
SSLCompression off
SSLHonorCipherOrder On
SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"

Topic locked