> On Feb 10, 2016, at 9:28 PM, Jeffrey Walton <noloader at gmail.com> wrote: > >> You should then disable unwanted protocols that are too weak. In master >> use the new min/max version controls and avoid the SSL_OP_NO_<some_version> >> macros. In 1.0.x, use the macros to disable some contiguous set of protocol >> versions starting at SSLv2. >> > Thanks Viktor. It sounds like Master is in good working order. Is > there anything that can be done with OpenSSL 1.0.2? Use SSLv23_method() (or SSLv23_client_method() if you prefer) and disable unwanted protocols via the SSL_OP_NO_<someversion> macros, making sure to disable each of SSLv2, SSLv3, ... up to some last protocol version you want to disable without leaving any gaps. That is don't make the mistake of disabling SSLv2 and TLSv1 while leaving SSLv3 enabled which creates "holes" in the range of supported protocols (in this case TLSv1 is a "hole" between SSLv3 and TLSv1.1). -- Viktor.
