2015-04-17 14:40 GMT+03:00 Peter <peter at pajamian.dhs.org>: > On 04/17/2015 11:20 PM, Eero Volotinen wrote: > > Yep, maybe using ssl offloading devices like (BigIP) that receives tls1.2 > > and tlsv1.2 and then re-encrypts traffic with tls1.0 might be "cheapest" > > solution. > > Perhaps re-evaluate the need to have TLS 1.1 and 1.2 right now. The > only attack against 1.0 that I'm aware of is BEAST and that has been > largely mitigated by browser-side fixes to the point where TLS 1.0 is > now considered to be safe. No doubt there will in time be other attacks > that necessitate an upgrade, but for now I would just stick with the > Well, PCI DSS 3.1 standard soon denies use of sslv3 and early version of tls(v1.0) Also noted that is possible to do ssl termination and encryption again with mod_ssl sslproxyengine. -- Eero