First off I'm not an Apache web server admin, I support an application which a customer is trying to connect to via Apache as a reverse proxy and load balancer.
The customer has two versions of our application running on two different servers. Both severs are identical in terms of version and updates.
One version of the software has been patched for the POODLE vulnerability and disables all SSLv2 and SSLv3 incoming connections, while the other version allows these connections.
The customer states that they have SSLProtocol ALL -SSLv2 -SSLv3 in their Apache config, however they can connect to the old version of the application which only supports SSLv2 and SSLv3, but cannot connect to the latest version as Apache returns a 404 error.
Given that the customer has set the SSLProtocol ALL -SSLv2 -SSLv3 attributes can anyone please confirm if these attributes only disable these protocols for incoming connections and Apache would still use these protocols for outgoing connections?
No comments:
Post a Comment