Mozilla is getting rid of SSLv3 in version 34. I imagine Chrome will
follow, and MS will phase it out on the client side for supported
versions. The biggest issue the browsers have is not supporting it and
web sites that depend on SSL 3.0. IMO these sites should join the herd
and migrate over to TLS.

Apache, nginx, and IIS can all be configured not to authenticate using
SSLv3 chain with their respectively configured certificates. This is
what most web admins are doing, in conjunction with killing support
for older browser versions. For example, anything below IE 8 depends
on SSLv3, so these browsers are out of luck (and significantly out of
date) for accessing sites configured to not us SSLv3.

Also, EFF had a notification about upgrading the HTTPS everywhere
plugin, the latest version will mitigate (prevent) the use of SSLv3

Jeremy MountainJohnson
Jeremy.MountainJohnson at

On Thu, Oct 16, 2014 at 12:10 PM, gregrwm <tclug1 at> wrote:
> poodle i think i understand, disable ssl in servers and browsers.
> breach/crime are still issues too if i read correctly, tho i'm less sure i
> understand, but i think the advice is encrypt or compress as you wish, but
> don't do both.  the question:  where are we at with firefox, chrome, and
> apache regarding following this advice?
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> tclug-list at