From fda3e06d6d5278978c5eaa1f67d407c9decd2ed1 Mon Sep 17 00:00:00 2001
From: Thomas Bellman <bellman@nsc.liu.se>
Date: Mon, 20 Oct 2014 11:01:00 +0200
Subject: [PATCH] mod_ssl: Disable SSL v3 (and v2) protocols by default.

Both the SSL v2 and v3 protocols have known problems, and the TLS v1.x
protocols are available to almost everyone.  One known exception is
Internet Explorer 6 on Microsoft Windows XP, but XP is out of support
anyway, so hopefully few people run that.  Users of mod_ssl can override
this, but defaulting to not use insecure protocols is the proper thing.
---
 manifests/mod_ssl.pp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/manifests/mod_ssl.pp b/manifests/mod_ssl.pp
index a2e2a44..15233c6 100644
--- a/manifests/mod_ssl.pp
+++ b/manifests/mod_ssl.pp
@@ -21,6 +21,8 @@ class apache::mod_ssl
 	'SSLRandomSeed startup'	 => 'file:/dev/urandom 256',
 	'SSLRandomSeed connect'	 => 'builtin',
 	'SSLCryptoDevice'	 => 'builtin',
+	# Both SSLv2 and SSLv3 are broken, security-wise
+	'SSLProtocol'		 => 'all -SSLv2 -SSLv3',
     }
     package {
 	'mod_ssl':
-- 
GitLab