mod_ssl: Disable SSL v3 (and v2) protocols by default.

Both the SSL v2 and v3 protocols have known problems, and the TLS v1.x protocols are available to almost everyone. One known exception is Internet Explorer 6 on Microsoft Windows XP, but XP is out of support anyway, so hopefully few people run that. Users of mod_ssl can override this, but defaulting to not use insecure protocols is the proper thing.

mod_ssl: Disable SSL v3 (and v2) protocols by default.
fda3e06d · Thomas Bellman · 9102fa64 · fda3e06d
Commit fda3e06d authored 10 years ago by Thomas Bellman
--- a/manifests/mod_ssl.pp
+++ b/manifests/mod_ssl.pp
@@ -21,6 +21,8 @@ class apache::mod_ssl
 	'SSLRandomSeed startup'	 => 'file:/dev/urandom 256',
 	'SSLRandomSeed connect'	 => 'builtin',
 	'SSLCryptoDevice'	 => 'builtin',
+	# Both SSLv2 and SSLv3 are broken, security-wise
+	'SSLProtocol'		 => 'all -SSLv2 -SSLv3',
    }
    package {
 	'mod_ssl':