[lug] apache config, TLSv1 versus SSLv2?
Matt Thompson
thompsma at jilau1.colorado.edu
Sun Sep 4 14:03:59 MDT 2005
Lee Woodworth wrote:
> D. Stimits wrote:
>
>> I'm looking at the apache site config docs for version 2 of apache:
>> http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html
>>
>> In it, they offer a section on allowing strong encryption only. I see
>> them using SSLv2, but I know there is also a TLSv1. Is SSLv2
>> newer/stronger than TLSv1? Or is this complete apples and oranges
>> comparison?
>
> TLS 1 is essentially SSL 3. TLS is a 'standard' while SSL is a
> netscape specification. SSL 2 has security issues so I wouldn't
> allow it for the server or for your browser.
Indeed, Firefox is eventually disabling support for SSLv2 due to its
"insecurity":
http://www.mozillazine.org/talkback.html?article=7252
The problem is that even if a site offers both SSLv2 and TLSv1/SSLv3, it
will default to SSLv2. Eep.
--
Learning just means you were wrong and they were right. - Aram
Matt Thompson -- http://ucsub.colorado.edu/~thompsma/
440 UCB, Boulder, CO 80309-0440
JILA A510, 303-492-4662
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3439 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20050904/18c46e37/attachment.bin>
More information about the LUG
mailing list