+1 The consequences from DROWN (CVE-2016-0800 and CVE-2016-0703 ) are too severe on the whole shared cert infrastructure from just one machine being accidentally configured to allow SSLv2.
I filed this ticket:https://issues.apache.org/jira/browse/TS-4247 On Sunday, April 10, 2016 8:33 PM, Masaori Koshiba <masa...@apache.org> wrote: +1 2016年4月11日(月) 9:57 Uri Shachar <ushac...@hotmail.com>: > On Apr 10, 2016, at 7:42 AM, Phil Sorber <sor...@apache.org> wrote: > > I'd like to propose that we deprecate SSLv2 and SSLv3 in ATS 6.2.0 and > remove it in 7.0.0. > > Currently our defaults do not enable them and have been that way for about > a year now. For 6.2.0 I'd like to mark them deprecated in the > documentation, and then we remove the code for 7.0.0. This will mean that > as of 7.0.0 you will not be able to enable SSLv2/3 even if your OpenSSL > library supports it. +1 to disabling for client <-> proxy connections. Completely disabling for proxy <-> origin is somewhat problematic for the forward proxy use case -- there are still some lingering SSLv3 servers out there, especially inside LANs.... Cheers, Uri
