enterprise-support team mailing list archive

Thread
Date

[Bug 1509586] Re: SSLv3 enabled in apache2 by default

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Robie Basak <1509586@xxxxxxxxxxxxxxxxxx>
Date: Mon, 26 Oct 2015 09:18:34 -0000
Reply-to: Bug 1509586 <1509586@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I have verified that apache2 2.4.12-2ubuntu2 (in Vivid and Wily) ships
with:

        SSLProtocol all -SSLv3

I'm with Seth in that retrospectively updating existing 14.04
deployments risks breaking users. Even if we could update only fresh
installs of 14.04, that would be particularly confusing and break for
existing users who have a reproducible deployment as is current best
practice.

On the other hand, users still deploy 14.04 fresh today, and best
practice would be to configure new deployments with SSLv3 disabled.
Perhaps we should have a place where we can document this kind of thing?
The release notes in a point release perhaps? However there are no more
point releases for 14.04 scheduled. So I'll mark this Won't Fix for
Trusty, but welcome conversation on this issue.

** Also affects: apache2 (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Changed in: apache2 (Ubuntu Trusty)
       Status: New => Won't Fix

** Changed in: apache2 (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1509586

Title:
  SSLv3 enabled in apache2 by default

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1509586/+subscriptions