Working around servers requiring SSL 2/3 record layer, and using TLS 1.2?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On Feb 10, 2016, at 9:28 PM, Jeffrey Walton <noloader at gmail.com> wrote:
> 
>> You should then disable unwanted protocols that are too weak.  In master
>> use the new min/max version controls and avoid the SSL_OP_NO_<some_version>
>> macros.  In 1.0.x, use the macros to disable some contiguous set of protocol
>> versions starting at SSLv2.
>> 
> Thanks Viktor. It sounds like Master is in good working order. Is
> there anything that can be done with OpenSSL 1.0.2?

Use SSLv23_method() (or SSLv23_client_method() if you prefer) and disable
unwanted protocols via the SSL_OP_NO_<someversion> macros, making sure to
disable each of SSLv2, SSLv3, ... up to some last protocol version you
want to disable without leaving any gaps.  That is don't make the mistake
of disabling SSLv2 and TLSv1 while leaving SSLv3 enabled which creates
"holes" in the range of supported protocols (in this case TLSv1 is a "hole"
between SSLv3 and TLSv1.1).

-- 
	Viktor.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux