On 2006-07-06 at 12:58 +0100, Dennis Davis wrote: > Is there a reason I'm probably missing for the "!SSLv2" ? I said "mostly whim" but something was nagging at my memory, a suggestion of more than silly fancy. It just clicked. SSL version rollback attacks last year. I fixed OpenSSL but went around and made sure that all configurable services couldn't be rolled back by simply refusing to use SSLv2. Some were like that anyway, such as Apache from when I was first learning SSL in more depth and what the cipher list values meant, but most things I had left at their defaults. <URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2969> -- "Everything has three factors: politics, money, and the right way to do it. In that order." -- Gary Donahue ---- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
