Ok, here is my final plan then. I am going to mark them all deprecated for 6.2.x.
Then after branching I am going to remove all client <-> proxy support and ifdef out proxy <-> origin support for SSLv3. SSLv2 will be totally gone. Then add a configure option that reads something like --enable-deprecated-sslv3-to-origin so you can re-enable it in the case that you need it, but it's not even compiled in by default. We should also leave the default as is and remove the config option from the default config file so you have to track it down in the docs and read about how unwise it is, etc etc. Thanks. On Tue, Apr 12, 2016 at 10:27 AM Yongming Zhao <ming....@gmail.com> wrote: > +1 > > nice to move forward > > - Yongming Zhao 赵永明 > > > 在 2016年4月10日,下午8:42,Phil Sorber <sor...@apache.org> 写道: > > > > I'd like to propose that we deprecate SSLv2 and SSLv3 in ATS 6.2.0 and > > remove it in 7.0.0. > > > > Currently our defaults do not enable them and have been that way for > about > > a year now. For 6.2.0 I'd like to mark them deprecated in the > > documentation, and then we remove the code for 7.0.0. This will mean that > > as of 7.0.0 you will not be able to enable SSLv2/3 even if your OpenSSL > > library supports it. > > > > Appreciate any feedback. > > > > Thanks. > >
