Disable SSLv2 and SSLv3 in Apache

By | 2013/06/18

Yes we all know that SSLv2 is to be avoided, but you should also consider disabling SSLv3! Wha? Crazy I know. Here is some info.


The replacement for SSLv3 was TLS 1.0. We now have TLS 1.0, 1.1, and 1.2. In fact, no modern browsers or mobile devices need SSLv3 – not even IE 8 on Windows XP!

For best security, disable both SSLv2 and SSLv3 and only use TLS 1.0 and higher.

In Apache, current docs say to specify the following:

SSLProtocol All -SSLv2 -SSLv3


Rock on,