[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5655) add option for setting minimum TLS/SSL protocol

On Thu, 14 Aug 2008, Michael Ströder wrote:
> From my understanding this is what LDAP_OPT_X_TLS_CIPHER_SUITE is for, 
> isn't it? It's directly passed to OpenSSL and can also be used to enable 
> or disable SSLv2, SSLv3 and TLSv1 besides choosing the ciphers itself.

Nope.  The cipher suite list and protocol versions supported are 
orthogonal: even if you include "!SSLv2" in your cipher suite, openssl 
will still send an SSLv2-compatible handshake.  Ditto on the server side: 
when OpenSSL announced a vulnerability in the server SSLv2 handshake code, 
I looked at whether specifying "!SSLv2" in the cipher spec would protect 
the server as a workaround.  Nope: only setting the SSL_OP_NO_SSLv2 option 
or using a SSLv3-only or TLSv1-only method would do it.

> Apache HTTP server does it also that way. See:
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite

They also have the "SSLProtocol" directive, further down on that page.  

Philip Guenther