>> You're confusing SSLv3 the protocol, with SSLv3 ciphersuites. Yes, I admit I am not distinguishing between these. However, !SSLv3 in the cipher list does evidently disable the SSLv3 protocol as well--as evidenced by testing with https://www.ssllabs.com/ssltest Since I don't have source for the application I can only control OpenSSL's behavior through the cypher list. I guess I will have to choose between leaving SSLv3 enabled and breaking Android and IE on XP users (that require TLSv1). >From the symptoms, it sure seems like OpenSSL mistakenly uses the string "DES-CBC3-SHA" to refer to both TLS and SSL3 (see https://www.openssl.org/docs/apps/ciphers.html ) Is this really intentional? In other words, is the SSLv3 cipher SSL_RSA_WITH_3DES_EDE_CBC_SHA actually the same as the TLS cipher TLS_RSA_WITH_DES_CBC_SHA? -----Original Message----- From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Viktor Dukhovni Sent: Monday, April 06, 2015 7:44 PM To: openssl-users at openssl.org Subject: Re: Disable SSL3 and enable TLS1? / Ambiguous "DES-CBC3-SHA" On Mon, Apr 06, 2015 at 05:11:22PM -0700, David Rueter wrote: > I would like to disable SSL3 (to prevent POODLE attacks), but I would > like to leave TLS1 enabled (particularly DES-CBC3-SHA, AES128-SHA and > AES256-SHA). You're confusing SSLv3 the protocol, with SSLv3 ciphersuites. To disable the protocol set "SSL_OP_NO_SSLv3" via SSL_CTX_set_options(). > Is there no way to disable SSL3 while leaving > TLS_RSA_WITH_3DES_EDE_CBC_SHA enabled? Yes, disable the protocol, not the ciphers. -- Viktor. _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
