Disable SSL3 and enable TLS1? / Ambiguous "DES-CBC3-SHA"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>> You're confusing SSLv3 the protocol, with SSLv3 ciphersuites.
Yes, I admit I am not distinguishing between these.  However, !SSLv3  in the
cipher list does evidently disable the SSLv3 protocol as well--as evidenced
by testing with https://www.ssllabs.com/ssltest

Since I don't have source for the application I can only control OpenSSL's
behavior through the cypher list.  I guess I will have to choose between
leaving SSLv3 enabled and breaking Android and IE on XP users (that require
TLSv1).

>From the symptoms, it sure seems like OpenSSL mistakenly uses the string
"DES-CBC3-SHA" to refer to both TLS and SSL3 (see
https://www.openssl.org/docs/apps/ciphers.html )  Is this really
intentional?  In other words, is the SSLv3 cipher
SSL_RSA_WITH_3DES_EDE_CBC_SHA actually the same as the TLS cipher
TLS_RSA_WITH_DES_CBC_SHA?



-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of
Viktor Dukhovni
Sent: Monday, April 06, 2015 7:44 PM
To: openssl-users at openssl.org
Subject: Re: Disable SSL3 and enable TLS1? / Ambiguous
"DES-CBC3-SHA"

On Mon, Apr 06, 2015 at 05:11:22PM -0700, David Rueter wrote:

> I would like to disable SSL3 (to prevent POODLE attacks), but I would 
> like to leave TLS1 enabled (particularly DES-CBC3-SHA, AES128-SHA and 
> AES256-SHA).

You're confusing SSLv3 the protocol, with SSLv3 ciphersuites.  To disable
the protocol set "SSL_OP_NO_SSLv3" via SSL_CTX_set_options().

> Is there no way to disable SSL3 while leaving 
> TLS_RSA_WITH_3DES_EDE_CBC_SHA enabled?

Yes, disable the protocol, not the ciphers.

-- 
	Viktor.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux