This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.

SSLProtocol all -SSLv2 -SSLv3

3 posts / 0 new

Topic locked

Last post

#1 Mon, 02/16/2015 - 07:35

jimdunn

SSLProtocol all -SSLv2 -SSLv3

Not sure which forum to post this in...

QUESTION: has openssl been fixed, so that we can fix the SSLProtocol entry in our ssl.conf file?

I have:

SSLProtocol all -SSLv2 -SSLv3

because of the openssl issue a while back.

Can I change this back to SSLProtocol all -SSLv2

???
Thx!

#2 Mon, 02/16/2015 - 12:53

jimdunn

http://tomcat.apache.org/tomcat-7.0-doc/config/http.html says that SSLv2 and v3 are unsafe.

#3 Mon, 02/16/2015 - 18:04

jimdunn

Also, here's the "Mozilla" recommended settings:

SSLProtocol All -SSLv2 -SSLv3
SSLCompression off
SSLHonorCipherOrder On
SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"

Topic locked