2015-04-17 14:40 GMT+03:00 Peter peter@pajamian.dhs.org:
On 04/17/2015 11:20 PM, Eero Volotinen wrote:
Yep, maybe using ssl offloading devices like (BigIP) that receives tls1.2 and tlsv1.2 and then re-encrypts traffic with tls1.0 might be "cheapest" solution.
Perhaps re-evaluate the need to have TLS 1.1 and 1.2 right now. The only attack against 1.0 that I'm aware of is BEAST and that has been largely mitigated by browser-side fixes to the point where TLS 1.0 is now considered to be safe. No doubt there will in time be other attacks that necessitate an upgrade, but for now I would just stick with the
Well, PCI DSS 3.1 standard soon denies use of sslv3 and early version of tls(v1.0)
Also noted that is possible to do ssl termination and encryption again with mod_ssl sslproxyengine.
-- Eero