You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Takashi Sato <ta...@tks.st> on 2014/10/17 12:02:12 UTC
Disable SSLv3 by default
SSLv3 is now insecure (CVE-2014-3566, POODLE)
Let's disable SSLv3 by default, at least trunk.
SSLProtocol default is "all".
<http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslprotocol>
"all" means "a shortcut for ``+SSLv3 +TLSv1'' or - when using OpenSSL
1.0.1 and later - ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively."
Should we remove SSLv3 from "all" ?
Re: Disable SSLv3 by default
Posted by 백정운 <ju...@piolink.com>.
that's right, SSLv3 is no longer secure.
2014-10-17 19:14 GMT+09:00 Reindl Harald <h....@thelounge.net>:
>
> Am 17.10.2014 um 12:02 schrieb Takashi Sato:
>
> SSLv3 is now insecure (CVE-2014-3566, POODLE)
>> Let's disable SSLv3 by default, at least trunk.
>>
>> SSLProtocol default is "all".
>> <http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslprotocol>
>> "all" means "a shortcut for ``+SSLv3 +TLSv1'' or - when using OpenSSL
>> 1.0.1 and later - ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively."
>>
>> Should we remove SSLv3 from "all"?
>>
>
> from a users (admins) point of view: yes
>
> if somebody really needs it he can enable SSLv3 deliberate
> what sadly not happens in many setup is disable it over years
>
>
Re: Disable SSLv3 by default
Posted by Reindl Harald <h....@thelounge.net>.
Am 17.10.2014 um 12:02 schrieb Takashi Sato:
> SSLv3 is now insecure (CVE-2014-3566, POODLE)
> Let's disable SSLv3 by default, at least trunk.
>
> SSLProtocol default is "all".
> <http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslprotocol>
> "all" means "a shortcut for ``+SSLv3 +TLSv1'' or - when using OpenSSL
> 1.0.1 and later - ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively."
>
> Should we remove SSLv3 from "all"?
from a users (admins) point of view: yes
if somebody really needs it he can enable SSLv3 deliberate
what sadly not happens in many setup is disable it over years
Re: Disable SSLv3 by default
Posted by Reindl Harald <h....@thelounge.net>.
Am 20.10.2014 um 19:17 schrieb wrowe@rowe-clan.net:
> Is this a responsible recommendation, though? Does TLSv1.0 offer any
> significant improvement over SSLv3.0 that HTTP server project endorses?
> Can or should 'we' officially designate SSLv3 as undesirable without
> making the same recommendation for TLSv1.0?
from a technical and security point of view: yes
at this time you don't want it on the admin side
there are way too much systems not supporting TLS1.1/1.2
> It seems to me that SAFE at this time is TLSv1.1 TLSv1.2.
> It also seems to me that the first problem to solve is to ensure if the user
> removes SSLv3 (+/- TLSv1.0) from their openssl installed binary, that we
> simply respect that. In that case, 'SSLProtocol all' should be just the
> remaining supported TLSv1.1 and TLSv1.2 protocols
disable only SSL3 would make things much better without the impact auf
disable TLS1.0 - spoken as admin: i (or we) need to draw some line
RE: Re: Disable SSLv3 by default
Posted by wr...@rowe-clan.net.
--------- Original Message --------- Subject: Re: Disable SSLv3 by default
From: "Arkadiusz Miśkiewicz" <ar...@maven.pl>
Date: 10/17/14 1:57 pm
To: dev@httpd.apache.org
On Friday 17 of October 2014, Kaspar Brand wrote:
> On 17.10.2014 12:02, Takashi Sato wrote:
> > SSLv3 is now insecure (CVE-2014-3566, POODLE)
> > Let's disable SSLv3 by default, at least trunk.
> >
> > SSLProtocol default is "all".
> > <http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslprotocol>
> > "all" means "a shortcut for ``+SSLv3 +TLSv1'' or - when using OpenSSL
> > 1.0.1 and later - ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively."
> >
> > Should we remove SSLv3 from "all" ?
>
> From a semantic point of view, I wouldn't do that. As long as we still
> allow SSLv3 to be used, "all" should really mean "all protocols which
> can be enabled in mod_ssl".
Then add "safe" option (leaving "all" as is) and make "safe" default. safe
would point to known safe protocols at release time.
Is this a responsible recommendation, though? Does TLSv1.0 offer any
significant improvement over SSLv3.0 that HTTP server project endorses?
Can or should 'we' officially designate SSLv3 as undesirable without
making the same recommendation for TLSv1.0?
It seems to me that SAFE at this time is TLSv1.1 TLSv1.2.
It also seems to me that the first problem to solve is to ensure if the user
removes SSLv3 (+/- TLSv1.0) from their openssl installed binary, that we
simply respect that. In that case, 'SSLProtocol all' should be just the
remaining supported TLSv1.1 and TLSv1.2 protocols.
Re: Disable SSLv3 by default
Posted by Arkadiusz Miśkiewicz <ar...@maven.pl>.
On Friday 17 of October 2014, Kaspar Brand wrote:
> On 17.10.2014 12:02, Takashi Sato wrote:
> > SSLv3 is now insecure (CVE-2014-3566, POODLE)
> > Let's disable SSLv3 by default, at least trunk.
> >
> > SSLProtocol default is "all".
> > <http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslprotocol>
> > "all" means "a shortcut for ``+SSLv3 +TLSv1'' or - when using OpenSSL
> > 1.0.1 and later - ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively."
> >
> > Should we remove SSLv3 from "all" ?
>
> From a semantic point of view, I wouldn't do that. As long as we still
> allow SSLv3 to be used, "all" should really mean "all protocols which
> can be enabled in mod_ssl".
Then add "safe" option (leaving "all" as is) and make "safe" default. safe
would point to known safe protocols at release time.
> Kaspar
--
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
Re: Disable SSLv3 by default
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Sat, Sep 19, 2015 at 4:05 AM, Kaspar Brand <ht...@velox.ch>
wrote:
> On 17.10.2014 19:25, Kaspar Brand wrote:
> > On 17.10.2014 12:02, Takashi Sato wrote:
> >> SSLv3 is now insecure (CVE-2014-3566, POODLE)
> >> Let's disable SSLv3 by default, at least trunk.
> >>
> >> SSLProtocol default is "all".
> >> <http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslprotocol>
> >> "all" means "a shortcut for ``+SSLv3 +TLSv1'' or - when using OpenSSL
> >> 1.0.1 and later - ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively."
> >>
> >> Should we remove SSLv3 from "all" ?
> >
> > From a semantic point of view, I wouldn't do that. As long as we still
> > allow SSLv3 to be used, "all" should really mean "all protocols which
> > can be enabled in mod_ssl".
> >
> > I'm fine with changing the hardcoded default (in ssl_engine_config.c) to
> > SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_SSLV3, though.
>
> For the record: this is part of r1703952 which I just committed to trunk
> (and will propose for backporting to 2.4 shortly, unless there are
> objections).
>
> > The other option would be to drop SSLv3 support completely, like we
> > currently do for SSLv2 in ssl_engine_init.c:ssl_init_ctx_protocol(). In
> > this case, "all" would no longer include SSLv3, of course.
>
> This is left as a next step, which I consider appropriate for trunk, at
> least.
>
Trunk, yes. POLS says no, not 2.4, no matter how 'clean' that solution
seems.
You cannot break users migrating across a subversion bump.
You are welcome to scream at them in their error log that an ill-advised
protocol
has been requested, as long as it is non-fatal.
Re: Disable SSLv3 by default
Posted by Kaspar Brand <ht...@velox.ch>.
On 17.10.2014 19:25, Kaspar Brand wrote:
> On 17.10.2014 12:02, Takashi Sato wrote:
>> SSLv3 is now insecure (CVE-2014-3566, POODLE)
>> Let's disable SSLv3 by default, at least trunk.
>>
>> SSLProtocol default is "all".
>> <http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslprotocol>
>> "all" means "a shortcut for ``+SSLv3 +TLSv1'' or - when using OpenSSL
>> 1.0.1 and later - ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively."
>>
>> Should we remove SSLv3 from "all" ?
>
> From a semantic point of view, I wouldn't do that. As long as we still
> allow SSLv3 to be used, "all" should really mean "all protocols which
> can be enabled in mod_ssl".
>
> I'm fine with changing the hardcoded default (in ssl_engine_config.c) to
> SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_SSLV3, though.
For the record: this is part of r1703952 which I just committed to trunk
(and will propose for backporting to 2.4 shortly, unless there are
objections).
> The other option would be to drop SSLv3 support completely, like we
> currently do for SSLv2 in ssl_engine_init.c:ssl_init_ctx_protocol(). In
> this case, "all" would no longer include SSLv3, of course.
This is left as a next step, which I consider appropriate for trunk, at
least.
Kaspar
Re: Disable SSLv3 by default
Posted by Kaspar Brand <ht...@velox.ch>.
On 17.10.2014 12:02, Takashi Sato wrote:
> SSLv3 is now insecure (CVE-2014-3566, POODLE)
> Let's disable SSLv3 by default, at least trunk.
>
> SSLProtocol default is "all".
> <http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslprotocol>
> "all" means "a shortcut for ``+SSLv3 +TLSv1'' or - when using OpenSSL
> 1.0.1 and later - ``+SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2, respectively."
>
> Should we remove SSLv3 from "all" ?
>From a semantic point of view, I wouldn't do that. As long as we still
allow SSLv3 to be used, "all" should really mean "all protocols which
can be enabled in mod_ssl".
I'm fine with changing the hardcoded default (in ssl_engine_config.c) to
SSL_PROTOCOL_ALL & ~SSL_PROTOCOL_SSLV3, though.
The other option would be to drop SSLv3 support completely, like we
currently do for SSLv2 in ssl_engine_init.c:ssl_init_ctx_protocol(). In
this case, "all" would no longer include SSLv3, of course.
Kaspar