|Missing in 1.5.x:||No|
I have recently "hardened" my SSL installation (fixing renegotiation, manually editing ciphersuites etc.) in an attempt to do at least as well as https://www.ssllabs.com/ssldb/analyze.html?d=cert.startcom.org
Long story short: It seems wise already now, but definitely for the future, to be able to turn off SSLv3 as well, and stick only with TLS, as SSLv3 also has weaknesses, and all current browsers support TLS 1.0 anyway.
I'm attaching a simple patch that allows to do precisely this. It's acting exactly like the ssl.use-sslv2 configuration, but for SSLv3 (and having the default as "enabled"). I verified this to work with the latest SVN revision of 1.4 (1.4.27-devel-2758M), but having looked at 1.5 source code it's straightforward to "port" it there as well.
If you think it's useful... well, just throw it in :-)
#5 Updated by email@example.com about 2 years ago
With this patch applied and disabling SSLv3 I cannot get any
browser to connect. The error log shows messages such as the
2011-03-16 22:36:24: (connections.c.299) SSL: 1 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2011-03-16 22:36:49: (connections.c.299) SSL: 1 error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
Also available in: Atom