[Date Prev][Date Next]
Re: (ITS#5655) add option for setting minimum TLS/SSL protocol
On Thu, 14 Aug 2008, Michael Ströder wrote:
> From my understanding this is what LDAP_OPT_X_TLS_CIPHER_SUITE is for,
> isn't it? It's directly passed to OpenSSL and can also be used to enable
> or disable SSLv2, SSLv3 and TLSv1 besides choosing the ciphers itself.
Nope. The cipher suite list and protocol versions supported are
orthogonal: even if you include "!SSLv2" in your cipher suite, openssl
will still send an SSLv2-compatible handshake. Ditto on the server side:
when OpenSSL announced a vulnerability in the server SSLv2 handshake code,
I looked at whether specifying "!SSLv2" in the cipher spec would protect
the server as a workaround. Nope: only setting the SSL_OP_NO_SSLv2 option
or using a SSLv3-only or TLSv1-only method would do it.
> Apache HTTP server does it also that way. See:
They also have the "SSLProtocol" directive, further down on that page.