On St, 2014-06-04 at 13:03 +0000, Viktor Dukhovni wrote:
> On Wed, Jun 04, 2014 at 10:45:59AM +0200, Tomas Mraz wrote:
>
> > SSLv2 is disabled by default, however when you use the ALL cipher list
> > which is of course something you should not do but it happened in perl
> > LDAP module the SSLv2 ciphers are added to the cipherlist and SSLv2
> > client hello is used.
>
> In Postfix, I use the "ALL" cipherlist, but I also pass SSL_OP_NO_SSLv2
> to SSL_CTX_set_options(). If you can append exclusions to the cipherlist,
> you can use 'ALL:...:!SSLv2'.
>
I know that. We are fixing perl-LDAP to not use ALL at all and stick
with the default. However we will be patching openssl anyway for any
other 3rd party cases where they intentionally or not enable SSLv2
client hello.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
