default conf: Disable SSLv3, like SSLv2, in the default configuration.

Committed by: covener
Reviewed by: covener, ylavic, gsmith
Backported by: ylavic

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1678700 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/STATUS b/STATUS
index e2442cb01f30d5ef62d15aac74c093b80833997a..2b5dcb243d2b7d868f39016260a831aab5fbc211 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -101,11 +101,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * default conf: Disable SSLv3, like SSLv2, in the default configuration.
-     trunk patch: n/a -- Only 2.2.x has SSLProtocol in httpd-ssl.conf.in
-     2.2.x patch: https://issues.apache.org/bugzilla/attachment.cgi?id=32131     
-     +1: covener, ylavic, gsmith
-
    * mod_ssl: Add SSLSessionTickets (on|off). [Rainer Jung]
      It controls the use of TLS session tickets (RFC 5077).
      Default is unchanged (on).

diff --git a/docs/conf/extra/httpd-ssl.conf.in b/docs/conf/extra/httpd-ssl.conf.in
index e04f98c24398f7cb0ec4ab6d5bae94a0642673f7..0586d1e200c1ddaab38d917e9594be67bbda32a5 100644 (file)
--- a/docs/conf/extra/httpd-ssl.conf.in
+++ b/docs/conf/extra/httpd-ssl.conf.in
@@ -69,8 +69,9 @@ SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
  
 #   SSL Protocol support:
 #   List the protocol versions which clients are allowed to
-#   connect with. Disable SSLv2 by default (cf. RFC 6176).
-SSLProtocol all -SSLv2
+#   connect with. Disable SSLv2 (cf. RFC 6176) and SSLv3
+#   (cf. RFC 7525 and CVE 2014-3566).
+SSLProtocol all -SSLv2 -SSLv3
 
 #   Pass Phrase Dialog:
 #   Configure the pass phrase gathering process.