17 Oct
2014
17 Oct
'14
7:38 p.m.
On 10/17/2014 09:53 AM, James B. Byrne wrote:
I read this on the RHN commentary respecting cve-2014-3566:
https://securityblog.redhat.com/2014/10/15/poodle-a-ssl3-vulnerability-cve-2...:
...
If read the advisory aright then TLSv1.0 suffers from exactly the same flaw as SSLv3. So, how do I configure apache-2.2.15 to deny TLSv1.0 and keep service TLSv1.1+?
The same advisory recommends to use this config for 7 and 6.6 upwards
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
I guess you could try changing that to
SSLProtocol -All +TLSv1.1 +TLSv1.2
Don't know what you might break on the client side...
- Thomas