On St, 2014-06-04 at 13:03 +0000, Viktor Dukhovni wrote: > On Wed, Jun 04, 2014 at 10:45:59AM +0200, Tomas Mraz wrote: > > > SSLv2 is disabled by default, however when you use the ALL cipher list > > which is of course something you should not do but it happened in perl > > LDAP module the SSLv2 ciphers are added to the cipherlist and SSLv2 > > client hello is used. > > In Postfix, I use the "ALL" cipherlist, but I also pass SSL_OP_NO_SSLv2 > to SSL_CTX_set_options(). If you can append exclusions to the cipherlist, > you can use 'ALL:...:!SSLv2'. >
I know that. We are fixing perl-LDAP to not use ALL at all and stick with the default. However we will be patching openssl anyway for any other 3rd party cases where they intentionally or not enable SSLv2 client hello. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org