[openssl-users] Missing ciphers
Viktor Dukhovni
openssl-users at dukhovni.org
Thu Nov 5 00:14:36 UTC 2015
On Thu, Nov 05, 2015 at 12:06:53AM +0000, Matt Caswell wrote:
> > Only ciphers found in the "DEFAULT" cipherlist that are compatible
> > with your server certificate algorithm will be enabled in your
> > server.
>
> Note that in this case an explicit cipher string of TLSv1.2 has been
> set. This *includes* some ciphersuites that are not in DEFAULT, e.g.
> some eNULL based ciphersuites
Thanks, I missed the fact that the server's "cipher" option was also
set to "TLSv1.2". That's rather unwise.
DO NOT use the CIPHER list to control PROTOCOL versions!
DO NOT use the CIPHER list to control PROTOCOL versions!
DO NOT use the CIPHER list to control PROTOCOL versions!
Instead, use the protocol control options. For example:
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
to disable SSLv2 and SSLv3 (disabling TLSv1 and higher is not
generally a good idea for the public Internet, but in more controlled
deployments, one might also disable TLSv1 and TLSv1.1).
On the command-line:
openssl s_server -no_ssl2 -no_ssl3 ...
--
Viktor.
More information about the openssl-users
mailing list