The IETF has taken an official stance in the matter: SSL 3.0 is now deprecated.
It’s been a long time coming. We’ve had, as many others, SSL 3.0 disabled on all our servers for multiple years now. And I’m now happy to report the IETF is making the end of SSL 3.0 “official”.
The Secure Sockets Layer version 3.0 (SSLv3), as specified in RFC 6101, is not sufficiently secure. This document requires that SSLv3 not be used.
The replacement versions, in particular, Transport Layer Security (TLS) 1.2 (RFC 5246), are considerably more secure and capable protocols.
Initiatives like disablessl3.com have been around for quite a while, urging system administrators to disable SSLv3 wherever possible. With POODLE as its most known attack, the death of SSLv3 is a very welcome one.
The RFC targets everyone using SSL 3.0: servers as well as clients.
Pragmatically, clients MUST NOT send a ClientHello with ClientHello.client_version set to {03,00}.
Similarly, servers MUST NOT send a ServerHello with ServerHello.server_version set to {03,00}. Any party receiving a Hello message with the protocol version set to {03,00} MUST respond with a “protocol_version” alert message and close the connection.
SSL is dead. Long live TLS 1.2(*).
(*) while it lasts.