[openssl-users] Disable SSL3 and enable TLS1? / Ambiguous "DES-CBC3-SHA"
David Rueter
drueter at assyst.com
Tue Apr 7 15:09:31 UTC 2015
>> You're confusing SSLv3 the protocol, with SSLv3 ciphersuites.
Yes, I admit I am not distinguishing between these. However, !SSLv3 in the
cipher list does evidently disable the SSLv3 protocol as well--as evidenced
by testing with https://www.ssllabs.com/ssltest
Since I don't have source for the application I can only control OpenSSL's
behavior through the cypher list. I guess I will have to choose between
leaving SSLv3 enabled and breaking Android and IE on XP users (that require
TLSv1).
>From the symptoms, it sure seems like OpenSSL mistakenly uses the string
"DES-CBC3-SHA" to refer to both TLS and SSL3 (see
https://www.openssl.org/docs/apps/ciphers.html ) Is this really
intentional? In other words, is the SSLv3 cipher
SSL_RSA_WITH_3DES_EDE_CBC_SHA actually the same as the TLS cipher
TLS_RSA_WITH_DES_CBC_SHA?
-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of
Viktor Dukhovni
Sent: Monday, April 06, 2015 7:44 PM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] Disable SSL3 and enable TLS1? / Ambiguous
"DES-CBC3-SHA"
On Mon, Apr 06, 2015 at 05:11:22PM -0700, David Rueter wrote:
> I would like to disable SSL3 (to prevent POODLE attacks), but I would
> like to leave TLS1 enabled (particularly DES-CBC3-SHA, AES128-SHA and
> AES256-SHA).
You're confusing SSLv3 the protocol, with SSLv3 ciphersuites. To disable
the protocol set "SSL_OP_NO_SSLv3" via SSL_CTX_set_options().
> Is there no way to disable SSL3 while leaving
> TLS_RSA_WITH_3DES_EDE_CBC_SHA enabled?
Yes, disable the protocol, not the ciphers.
--
Viktor.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
More information about the openssl-users
mailing list