...at long last (but I don't understand everything--see below).
On Sat, 2015-01-17 at 17:07 +0100, Andre Speelmans wrote:
> > Thanks for the suggestion. Changing the min (and fallback-limit,
> > because I didn't know what that did) to 10 does not cause a failure to
> > connect. So either (a) the server change didn't take or (b) the browser
> > change didn't take or (c) I need to do something else in the browser to
> > force SSLv3.
>
> Test the browser with those setting against a server that you know has
> no POODLE vulnerability?
>
It turns out, for reasons I haven't figured out, that changing the
SSLProtocol line in /etc/httpd/conf.d/ssl.conf from
SSLProtocol All -SSLv2
to
SSLProtocol All -SSLv2 -SSLv3
doesn't seem to disable the SSLv3 protocol, as advertised. Instead, I
had to add the second version to the configuration for one of my vhosts
that supports https protocol. I put it below the line
SSLEngine on
inside the <VirtualHost *:443> block and then it worked fine.
Not sure why it doesn't work in ssl.mod or how I was supposed to figure
it out, but at least now it's working.
It occurs to me that this might be an issue with the order in which
files in /etc/httpd/conf.d are read: the vhost file is alphabetically
earlier than ssl.conf. If that's correct, then maybe those files should
be named like the files in /etc/init.d, with prefix numbers to force an
ordering on them?
Thanks for the help.
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
