> On Apr 10, 2016, at 7:42 AM, Phil Sorber <sor...@apache.org> wrote:
>
> I'd like to propose that we deprecate SSLv2 and SSLv3 in ATS 6.2.0 and
> remove it in 7.0.0.
>
> Currently our defaults do not enable them and have been that way for about
> a year now. For 6.2.0 I'd like to mark them deprecated in the
> documentation, and then we remove the code for 7.0.0. This will mean that
> as of 7.0.0 you will not be able to enable SSLv2/3 even if your OpenSSL
> library supports it.
+1 to disabling for client <-> proxy connections.
Completely disabling for proxy <-> origin is somewhat problematic for the
forward proxy use case -- there are still some lingering SSLv3 servers out
there, especially inside LANs....
Cheers,
Uri
