[openssl-dev] Disabling SSLv3 in OpenSSL 0.9.8a
Dr. Stephen Henson
steve at openssl.org
Fri Jan 23 16:50:47 UTC 2015
On Fri, Jan 23, 2015, Thirumal, Karthikeyan wrote:
> Team,
> In order to fix the Poodle vulnerability on SSLv3, I tried to disable my SSLv3 cipher using the below cipher set, but did not even initiate SSL in 0.9.8a.
>
> SSL_CTX_set_cipher_list(ssl_ctx,"SHA1+HIGH:!SSLv2:!SSLv3:!aNULL:!eNULL:@STRENGTH");
>
> Without "!SSLv3" - by SSL connection is working fine by blocking just SSLv2.
>
> Can you advise if the above cipher list is right ?
>
You can't disable SSL 3.0 using a cipher list. The string "SSLv3" indicates
ciphers which require a minimum of SSL 3.0 and so includes ciphersuites
which can be used for SSL 3.0 or TLS 1.0. There aren't any ciphersuites
suitable for TLS 1.0 and not SSL 3.0 so when you use !SSLv3 you disable
all TLS 1.0 and SSL v3.0 ciphersuites.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list