It is not the case that with the default configuration only SSLv2 is active, but by the default configuration, only SSLv2 is disabled ... and SSLv3 should be disabled as well. The syntax, how this works is determined by OpenSSL (aside of the fact that the parameter has to be a proper quoting for Tcl). Just set the "protocols" parameter in the nsssl section to "!SSLv2:!SSLv3", which means: disable SSLv2 and SSLv3.
One should probably deactivate SSLv3 by default (with the cost, that some old SSL clients might fail). I will update the default configuration on bitbucket to the more secure setting.
The security rating of openacs.org (running NaviServer 4.99.17) is A+. You should be able to get the same.
-gn
[1] https://www.ssllabs.com/ssltest/analyze.html?d=openacs.org&s=2001%3a628%3a404%3a74%3a0%3a0%3a0%3a31&hideResults=on&latest
