Comment 7 for bug 1381537

On 10/20/2014 11:18 AM, Roger Cornelius wrote:
> According to https://www.digitalocean.com/community/tutorials/how-to-
> protect-your-server-against-the-poodle-sslv3-vulnerability, SSLv3 can
> be switched off in 2.0.19 by adding "!SSLv3" to the ssl_cipher_list
> config option. Is that not correct?

Doing so will drop support for TLS 1.0 and 1.1 too (leaving 1.2 only).
This is explained by the fact that all the ciphers defined by SSLv3 are
also shared by TLS 1.0 and 1.1 so removing them only leaves those added
by TLS 1.2.

$ openssl ciphers -v 'ALL:!LOW:!SSLv2:!EXP:!aNULL' | wc -l
77
$ openssl ciphers -v 'ALL:!LOW:!SSLv2:!EXP:!aNULL:!SSLv3' | wc -l
28

This is generally not advisable because many email clients do not
support TLS 1.2. The article should be fixed.

Simon