From: Yann Ylavic <ylavic@apache.org>
Date: Mon, 11 May 2015 09:21:58 +0000 (+0000)
Subject: default conf: Disable SSLv3, like SSLv2, in the default configuration.
X-Git-Tag: 2.2.30~120
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eda836d46437e695324c5c5d5d74e181d052101f;p=thirdparty%2Fapache%2Fhttpd.git

default conf: Disable SSLv3, like SSLv2, in the default configuration.

Committed by: covener
Reviewed by: covener, ylavic, gsmith
Backported by: ylavic


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1678700 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index e2442cb01f3..2b5dcb243d2 100644
--- a/STATUS
+++ b/STATUS
@@ -101,11 +101,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-   * default conf: Disable SSLv3, like SSLv2, in the default configuration.
-     trunk patch: n/a -- Only 2.2.x has SSLProtocol in httpd-ssl.conf.in
-     2.2.x patch: https://issues.apache.org/bugzilla/attachment.cgi?id=32131     
-     +1: covener, ylavic, gsmith
-
    * mod_ssl: Add SSLSessionTickets (on|off). [Rainer Jung]
      It controls the use of TLS session tickets (RFC 5077).
      Default is unchanged (on).
diff --git a/docs/conf/extra/httpd-ssl.conf.in b/docs/conf/extra/httpd-ssl.conf.in
index e04f98c2439..0586d1e200c 100644
--- a/docs/conf/extra/httpd-ssl.conf.in
+++ b/docs/conf/extra/httpd-ssl.conf.in
@@ -69,8 +69,9 @@ SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
  
 #   SSL Protocol support:
 #   List the protocol versions which clients are allowed to
-#   connect with. Disable SSLv2 by default (cf. RFC 6176).
-SSLProtocol all -SSLv2
+#   connect with. Disable SSLv2 (cf. RFC 6176) and SSLv3
+#   (cf. RFC 7525 and CVE 2014-3566).
+SSLProtocol all -SSLv2 -SSLv3
 
 #   Pass Phrase Dialog:
 #   Configure the pass phrase gathering process.