Okay, so after poking #debian-security on OFTC, Thijs said the following: (Or at least I believe it's Thijs):
[2014/11/01 11:25:15] <thijs_> teward: I think the ideal package does not have SSLv3 included in its default settings. With Apache in Debian is quite the case because /etc/apache2/conf-available/ssl.conf will disable SSLv3 so any vhost using SSL without explicitly overriding the SSLProtocols will not have it [2014/11/01 11:26:28] <thijs_> that nginx disables it in a configuration example is good, but I would think it's much better if someone creates a vhost without explicit protocol specification, it would not do SSLv3 To that end, I went fussing around with the code of the SSL module. Attached is a patch which should do the trick, and disable SSLv3 support if ssl_protocols is NOT defined. Before this patch is included, though, we should really consider whether we actually *want* to disable SSLv3 by default and potentially break nginx configurations which need SSLv3 and don't have ssl_protocols defined. At the very least, a NEWS entry needs to be added for this. If this change is accepted, I'll make a blog post about it, but only if it's included. ------ Thomas
disable_sslv3_default_protocol.patch
Description: Binary data
