...at long last (but I don't understand everything--see below).
On Sat, 2015-01-17 at 17:07 +0100, Andre Speelmans wrote:
> Thanks for the suggestion. Changing the min (and
fallback-limit,
> because I didn't know what that did) to 10 does not cause a failure to
> connect. So either (a) the server change didn't take or (b) the browser
> change didn't take or (c) I need to do something else in the browser to
> force SSLv3.
Test the browser with those setting against a server that you know has
no POODLE vulnerability?
It turns out, for reasons I haven't figured out, that changing the
SSLProtocol line in /etc/httpd/conf.d/ssl.conf from
SSLProtocol All -SSLv2
to
SSLProtocol All -SSLv2 -SSLv3
doesn't seem to disable the SSLv3 protocol, as advertised. Instead, I
had to add the second version to the configuration for one of my vhosts
that supports https protocol. I put it below the line
SSLEngine on
inside the <VirtualHost *:443> block and then it worked fine.
Not sure why it doesn't work in ssl.mod or how I was supposed to figure
it out, but at least now it's working.
It occurs to me that this might be an issue with the order in which
files in /etc/httpd/conf.d are read: the vhost file is alphabetically
earlier than ssl.conf. If that's correct, then maybe those files should
be named like the files in /etc/init.d, with prefix numbers to force an
ordering on them?
Thanks for the help.
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu