Comment 0 for bug 1383379
Revision history for this message
| Thomas Ward (teward) wrote nginx default config has SSLv3 enabled, makes things vulnerable to POODLE | #0 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
By default, the shipped `default` config file contains a commented-out section for SSL.
That SSL section has the SSLv3 parameter provided for `ssl_protocols`. This means that systems are vulnerable to SSLv3 and the POODLE vulnerability.
Can we remove that from the default section, even though it's commented out, so users don't use the insecure SSLv3 protocol anymore?