>> > By and large what should be off by default eventually or already >> > is, but there can be some delay for backwards compatibility. >> ... >> > With these you're covered for no-ssl2 no-comp and no weak ciphers. >> >> We are using 1.0.2f, no-ssl2 and no-comp do not appear to be defaults in >> that version. Should heartbeats be turned off, or have recent version of >> OpenSSL taken care of any potential weaknesses there? > > Yes, you do need to disable "ssl2" in releases prior to 1.0.1s > and 1.0.2g. > > Note that "no-comp" is a consequence of "zlib" and "zlib-dynamic" > not being enabled. You have to choose to turn compression on IIRC > by enabling one of these. no-comp disables compression independent of zlib. OPENSSL_NO_COMP will be defined in the OpenSSL headers. Also see https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options. As interesting ones show up and team members comment on them, they get added to the list. Jeff
