On Fri, Oct 17, 2014 at 12:13:28PM -0700, Brent Jones wrote:
> Why not just disable the impacted ciphers?
> This seems reasonable to me:
>
> tls_require_ciphers =
> -ALL:+HIGH:-SSLv2:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-MD5:AES256-SHA:AES128-SHA
Very bad cipherlist syntax and entirely futile. You can't disable
the ciphers in question, the problem is with SSLv3 padding, not
the ciphers. The non-POODLE ciphers in SSLv3 is RC4, but RC4 is
also weak and deprecated.
--
Viktor.