[openssl-users] Disable SSL3 and enable TLS1? / Ambiguous "DES-CBC3-SHA"

David Rueter drueter at assyst.com
Tue Apr 7 15:09:31 UTC 2015

>> You're confusing SSLv3 the protocol, with SSLv3 ciphersuites.
Yes, I admit I am not distinguishing between these.  However, !SSLv3  in the
cipher list does evidently disable the SSLv3 protocol as well--as evidenced
by testing with https://www.ssllabs.com/ssltest

Since I don't have source for the application I can only control OpenSSL's
behavior through the cypher list.  I guess I will have to choose between
leaving SSLv3 enabled and breaking Android and IE on XP users (that require

>From the symptoms, it sure seems like OpenSSL mistakenly uses the string
"DES-CBC3-SHA" to refer to both TLS and SSL3 (see
https://www.openssl.org/docs/apps/ciphers.html )  Is this really
intentional?  In other words, is the SSLv3 cipher
SSL_RSA_WITH_3DES_EDE_CBC_SHA actually the same as the TLS cipher

-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of
Viktor Dukhovni
Sent: Monday, April 06, 2015 7:44 PM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] Disable SSL3 and enable TLS1? / Ambiguous

On Mon, Apr 06, 2015 at 05:11:22PM -0700, David Rueter wrote:

> I would like to disable SSL3 (to prevent POODLE attacks), but I would 
> like to leave TLS1 enabled (particularly DES-CBC3-SHA, AES128-SHA and 
> AES256-SHA).

You're confusing SSLv3 the protocol, with SSLv3 ciphersuites.  To disable
the protocol set "SSL_OP_NO_SSLv3" via SSL_CTX_set_options().

> Is there no way to disable SSL3 while leaving 

Yes, disable the protocol, not the ciphers.

openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list