From e6f56309054391f226d45bafc1b9b5b1dc87cf2e Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@redhat.com>
Date: Sep 21 2018 14:22:11 +0000
Subject: comment-out SSLProtocol, SSLProxyProtocol from ssl.conf in

  default configuration; now follow OpenSSL system default (#1468322)
Resolves: rhbz#1468322

---

diff --git a/httpd.spec b/httpd.spec
index 9ddb745..6ee6bea 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.34
-Release: 7%{?dist}
+Release: 8%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@@ -733,6 +733,10 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Fri Sep 21 2018 Joe Orton <jorton@redhat.com> - 2.4.34-8
+- comment-out SSLProtocol, SSLProxyProtocol from ssl.conf in
+  default configuration; now follow OpenSSL system default (#1468322)
+
 * Fri Sep 21 2018 Joe Orton <jorton@redhat.com> - 2.4.34-7
 - mod_ssl: follow OpenSSL protocol defaults if SSLProtocol
   is not configured (Rob Crittenden, #1618371)
diff --git a/ssl.conf b/ssl.conf
index a07bd8f..373b9e5 100644
--- a/ssl.conf
+++ b/ssl.conf
@@ -70,11 +70,10 @@ LogLevel warn
 SSLEngine on
 
 #   List the protocol versions which clients are allowed to connect with.
-#   Disable SSLv3 by default (cf. RFC 7525 3.1.1).  TLSv1 (1.0) should be
-#   disabled as quickly as practical.  By the end of 2016, only the TLSv1.2
-#   protocol or later should remain in use.
-SSLProtocol all -SSLv3
-SSLProxyProtocol all -SSLv3
+#   The OpenSSL system profile is configured by default.  See
+#   update-crypto-policies(8) for more details.
+#SSLProtocol all -SSLv3
+#SSLProxyProtocol all -SSLv3
 
 #   User agents such as web browsers are not configured for the user's
 #   own preference of either security or performance, therefore this
@@ -83,10 +82,10 @@ SSLProxyProtocol all -SSLv3
 SSLHonorCipherOrder on
 
 #   SSL Cipher Suite:
-# List the ciphers that the client is permitted to negotiate.
-# See the mod_ssl documentation for a complete list.
-# The OpenSSL system profile is configured by default.  See
-# update-crypto-policies(8) for more details.
+#   List the ciphers that the client is permitted to negotiate.
+#   See the mod_ssl documentation for a complete list.
+#   The OpenSSL system profile is configured by default.  See
+#   update-crypto-policies(8) for more details.
 SSLCipherSuite PROFILE=SYSTEM
 SSLProxyCipherSuite PROFILE=SYSTEM