comment-out SSLProtocol, SSLProxyProtocol from ssl.conf in

default configuration; now follow OpenSSL system default (#1468322) Resolves: rhbz#1468322
2018-09-21 15:22:11 +01:00 · 2018-09-21 15:22:11 +01:00 · e6f5630905
commit e6f5630905
parent 89ff98903a
2 changed files with 13 additions and 10 deletions
--- a/httpd.spec
+++ b/httpd.spec
@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.34
-Release: 7%{?dist}
+Release: 8%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@ -733,6 +733,10 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd

 %changelog
+* Fri Sep 21 2018 Joe Orton <jorton@redhat.com> - 2.4.34-8
+- comment-out SSLProtocol, SSLProxyProtocol from ssl.conf in
+  default configuration; now follow OpenSSL system default (#1468322)
+
 * Fri Sep 21 2018 Joe Orton <jorton@redhat.com> - 2.4.34-7
 - mod_ssl: follow OpenSSL protocol defaults if SSLProtocol
  is not configured (Rob Crittenden, #1618371)
--- a/ssl.conf
+++ b/ssl.conf
@ -70,11 +70,10 @@ LogLevel warn
 SSLEngine on

 #   List the protocol versions which clients are allowed to connect with.
-#   Disable SSLv3 by default (cf. RFC 7525 3.1.1).  TLSv1 (1.0) should be
-#   disabled as quickly as practical.  By the end of 2016, only the TLSv1.2
-#   protocol or later should remain in use.
-SSLProtocol all -SSLv3
-SSLProxyProtocol all -SSLv3
+#   The OpenSSL system profile is configured by default.  See
+#   update-crypto-policies(8) for more details.
+#SSLProtocol all -SSLv3
+#SSLProxyProtocol all -SSLv3

 #   User agents such as web browsers are not configured for the user's
 #   own preference of either security or performance, therefore this