Hi, Running debian 8, apache 2.4.10 with openssl 1.0.1t (all packages from apt, no compiled stuff). Problem is that when setting "SSLProtocol all" only TLS works, and sslv3 cannot work alongside TLS. Only explicitly sslv3 works if added with
"SSLProtocol +SSLv3". "SSLProtocol -all +SSLv3" or "SSLProtocol +SSLv3 +TLSv1" ... makes apache totally ignore sslv3.
So TLS and SSLv3 is functional but not at the same time. And even ssl.conf has documented that SSLProtocol all means sslv3 and above enabled.
I know SSLv3 is insecure and should be burnt, but for this one instance I need both SSLv3 with TLS.
[link] [comments]