>> Is OpenSSL in its own DLL/DLLs? Yes, the OpenSSL DLL?s libeay32.dll and ssleay32.dll are used, and in fact I have updated them to 1.0.2a Yes, performing my own build on these DLL?s is an option, and I may pursue it. I just need to get a Windows dev environment set up to build these. From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Jakob Bohm Sent: Tuesday, April 07, 2015 9:57 AM To: openssl-users at openssl.org Subject: Re: Disable SSL3 and enable TLS1? / Ambiguous "DES-CBC3-SHA" On 07/04/2015 17:09, David Rueter wrote: You're confusing SSLv3 the protocol, with SSLv3 ciphersuites. Yes, I admit I am not distinguishing between these. However, !SSLv3 in the cipher list does evidently disable the SSLv3 protocol as well--as evidenced by testing with https://www.ssllabs.com/ssltest Since I don't have source for the application I can only control OpenSSL's behavior through the cypher list. I guess I will have to choose between leaving SSLv3 enabled and breaking Android and IE on XP users (that require TLSv1). Is OpenSSL in its own DLL/DLLs? If so, could you simply recompile OpenSSL (at latest patchlevel) without the SSL3 protocol? This would also provide all the other security fixes that have been added to OpenSSL since someone gave you the program. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150407/ea97ec4b/attachment.html>
