[Date Prev][Date Next]
Re: (ITS#5655) add option for setting minimum TLS/SSL protocol
Philip Guenther wrote:
> On Thu, 14 Aug 2008, Michael Ströder wrote:
>> From my understanding this is what LDAP_OPT_X_TLS_CIPHER_SUITE is for,
>> isn't it? It's directly passed to OpenSSL and can also be used to enable
>> or disable SSLv2, SSLv3 and TLSv1 besides choosing the ciphers itself.
> Nope. The cipher suite list and protocol versions supported are
> orthogonal: even if you include "!SSLv2" in your cipher suite, openssl
> will still send an SSLv2-compatible handshake. Ditto on the server side:
> when OpenSSL announced a vulnerability in the server SSLv2 handshake code,
> I looked at whether specifying "!SSLv2" in the cipher spec would protect
> the server as a workaround. Nope: only setting the SSL_OP_NO_SSLv2 option
> or using a SSLv3-only or TLSv1-only method would do it.
>> Apache HTTP server does it also that way. See:
> They also have the "SSLProtocol" directive, further down on that page.
Then I'd vote for doing it exactly like this with one option (space- or
comma-separated list of protocols).