Suggestion for documentation enhancment regarding SSL/TLS

Latest response

I was just reading the documentation for Red Hat Enterprise Linux 6 and on chapter 19.3.1.2.1. Configuring Postfix to Use Transport Layer Security it states:

"Due to the vulnerability described in Resolution for POODLE SSL 3.0 vulnerability (CVE-2014-3566) in Postfix and Dovecot, Red Hat recommends disabling SSL, if it is enabled, and using only TLSv1.1 or TLSv1.2. Backwards compatibility can be achieved using TLSv1.0. Many products Red Hat supports have the ability to use SSLv2 or SSLv3 protocols. However, the use of SSLv2 or SSLv3 is now strongly recommended against."

A similiar statement is given for Red Hat Enterprise Linux 7 on chapter 14.1.8. Enabling the mod_ssl Module and many other chapters:

"Due to the vulnerability described in POODLE: SSLv3 vulnerability (CVE-2014-3566), Red Hat recommends disabling SSL and using only TLSv1.1 or TLSv1.2. Backwards compatibility can be achieved using TLSv1.0. Many products Red Hat supports have the ability to use SSLv2 or SSLv3 protocols, or enable them by default. However, the use of SSLv2 or SSLv3 is now strongly recommended against."

This should by my opinion not be stated in a way that it suggests user to disable SSL rather than disable just the vulnerable protocols.

I do understand that there was some renaming done and after SSLv3, SSL was renamed to TLS however this does still sugest user to leave SSL all together and this term is still mostly used to describe secure protocols.

MS

Responses