SSL 3 is dead

Just for completeness: If you still didn’t note dispite the various reports: SSL 3 is considered to be “dead”. Also see the article about this at Security Labs.

For me this was no surprise – I don’t use SSL 3 on my servers anyway for more than a year. At least TLS 1.0 is required. So far I never had any complaint by users of my services that they can not use them because of that.

Therefore I generally recommend to turn off SSL 3, for example in Apache with the following configuration:

SSLProtocol all -SSLv2 -SSLv3

As an end user you should also disable SSL 3 in your browser. On the test page by SSL Labs you can check if your browser is affected by the problem.

Update 2014-11-08: If you use older software on your server which does not allow to modify the SSL configuration you should have a look at the “TLS Imposer”.

Leave a Comment

Your email address will not be published. Required fields are marked *