Re: SSL 3.0 and older ciphers selected in applications

To: Daniel Pocock <daniel@pocock.pro>
Cc: debian-security@lists.debian.org, 772487@bugs.debian.org
Subject: Re: SSL 3.0 and older ciphers selected in applications
From: Kurt Roeckx <kurt@roeckx.be>
Date: Mon, 8 Dec 2014 11:12:20 +0100
Message-id: <[🔎] 20141208101220.GA13316@roeckx.be>
In-reply-to: <[🔎] 54855E6D.9000308@pocock.pro>
References: <[🔎] 54855E6D.9000308@pocock.pro>

On Mon, Dec 08, 2014 at 09:16:45AM +0100, Daniel Pocock wrote:
> 
> Hi all,
> 
> I've made some changes to TLS code in reSIProcate
> 
> - setting OpenSSL's SSL_OP_NO_SSLv3 by default when using SSLv23_method()

This has no effect in jessie.  SSLv2 and SSLv3 are disabled if you
use the SSLv23_* methods.  The only way to enable SSLv3 is to use
the SSLv3_* methods.  You should always use the SSLv23 method as
those are the only that support more than 1 protocol version.

I would love to see people stopping the SSLv3 methods, and they
have been removed in experimental.  I'm also working on only
having the SSLv23 method available.

Kurt

Reply to:

Follow-Ups:
- Re: SSL 3.0 and older ciphers selected in applications
  - From: Daniel Pocock <daniel@pocock.pro>

References:
- SSL 3.0 and older ciphers selected in applications
  - From: Daniel Pocock <daniel@pocock.pro>

Prev by Date: Re: SSL 3.0 and older ciphers selected in applications
Next by Date: Re: SSL 3.0 and older ciphers selected in applications
Previous by thread: Re: SSL 3.0 and older ciphers selected in applications
Next by thread: Re: SSL 3.0 and older ciphers selected in applications
Index(es):
- Date
- Thread