[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5655) add option for setting minimum TLS/SSL protocol



Philip Guenther wrote:
> On Thu, 14 Aug 2008, Michael Ströder wrote:
> ...
>> From my understanding this is what LDAP_OPT_X_TLS_CIPHER_SUITE is for, 
>> isn't it? It's directly passed to OpenSSL and can also be used to enable 
>> or disable SSLv2, SSLv3 and TLSv1 besides choosing the ciphers itself.
> 
> Nope.  The cipher suite list and protocol versions supported are 
> orthogonal: even if you include "!SSLv2" in your cipher suite, openssl 
> will still send an SSLv2-compatible handshake.  Ditto on the server side: 
> when OpenSSL announced a vulnerability in the server SSLv2 handshake code, 
> I looked at whether specifying "!SSLv2" in the cipher spec would protect 
> the server as a workaround.  Nope: only setting the SSL_OP_NO_SSLv2 option 
> or using a SSLv3-only or TLSv1-only method would do it.

Ok.

>> Apache HTTP server does it also that way. See:
>> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite
> 
> They also have the "SSLProtocol" directive, further down on that page.  

Then I'd vote for doing it exactly like this with one option (space- or 
comma-separated list of protocols).

Ciao, Michael.