Hi, Some time back, to fix POODLE, I tried to fix with cipher suite, but still I can use the the protocol SSLv3. The server responds with openssl s_client -connect ip:port -ssl3 So The fix should come using SSL_CTX_set_options. I understand since you are using the compiled binary, you may not be in a position to use this API. May be you can try with the latest version of openssl with the POODLE fix. regards, James On Tue, Apr 7, 2015 at 8:14 AM, Viktor Dukhovni <openssl-users at dukhovni.org> wrote: > On Mon, Apr 06, 2015 at 05:11:22PM -0700, David Rueter wrote: > > > I would like to disable SSL3 (to prevent POODLE attacks), but I would > like > > to leave TLS1 enabled (particularly DES-CBC3-SHA, AES128-SHA and > > AES256-SHA). > > You're confusing SSLv3 the protocol, with SSLv3 ciphersuites. To disable > the protocol set "SSL_OP_NO_SSLv3" via SSL_CTX_set_options(). > > > Is there no way to disable SSL3 while leaving > TLS_RSA_WITH_3DES_EDE_CBC_SHA > > enabled? > > Yes, disable the protocol, not the ciphers. > > -- > Viktor. > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150407/071aa6a3/attachment.html>
