Re: default compression for openssl (zlib)?
On Tue, Aug 14, 2007, Thang Tran wrote: > > what have I to do if I want to avoid the old SSLv2. Can someone give me am > example how I have to configure an apache server for using SSLv3 only? > Oops, should've made this clearer. It is only clients than need to avoid the old SSLv2 compatible methods and only use SSLv3/TLSv1. Nothing needs to be done to a server. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing [email protected] Automated List Manager [EMAIL PROTECTED]
Re: default compression for openssl (zlib)?
Hi Jan, thanks for your fast answer. I will try it later. Hope it works. best regards, Thang > Hi, > > Thang Tran wrote: >> what have I to do if I want to avoid the old SSLv2. Can someone give me >> am >> example how I have to configure an apache server for using SSLv3 only? > > exclude it from SSLCipherSuite in your httpd.conf, something like: > > SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL > > !SSLv2 means: No SSLv2. > > HTH > Jan > -- > Jan Klever (PKI Team), Phone +49 40 808077-619 > > DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 > Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 > Heidenkampsweg 41, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski > __ OpenSSL Project http://www.openssl.org User Support Mailing [email protected] Automated List Manager [EMAIL PROTECTED]
Re: default compression for openssl (zlib)?
Hi, Thang Tran wrote: > what have I to do if I want to avoid the old SSLv2. Can someone give me am > example how I have to configure an apache server for using SSLv3 only? exclude it from SSLCipherSuite in your httpd.conf, something like: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL !SSLv2 means: No SSLv2. HTH Jan -- Jan Klever (PKI Team), Phone +49 40 808077-619 DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555 Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737 Heidenkampsweg 41, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski smime.p7s Description: S/MIME Cryptographic Signature
Re: default compression for openssl (zlib)?
Hi, what have I to do if I want to avoid the old SSLv2. Can someone give me am example how I have to configure an apache server for using SSLv3 only? best regards, Thang > On Mon, Aug 13, 2007, Seed, Steven wrote: > >> Is compression enabled now with openssl? It appears zlib compression is >> enabled by default in version 0.9.8b (running on CentOS5) >> > > Yes. Obviously both server and client need to support it for it to work. > > Less obvious is that you cannot use the old SSLv2 compatible methods > because > an SSLv2 client hello doesn't support compression. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > __ > OpenSSL Project http://www.openssl.org > User Support Mailing [email protected] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing [email protected] Automated List Manager [EMAIL PROTECTED]
Re: default compression for openssl (zlib)?
On Mon, Aug 13, 2007, Seed, Steven wrote: > Is compression enabled now with openssl? It appears zlib compression is > enabled by default in version 0.9.8b (running on CentOS5) > Yes. Obviously both server and client need to support it for it to work. Less obvious is that you cannot use the old SSLv2 compatible methods because an SSLv2 client hello doesn't support compression. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing [email protected] Automated List Manager [EMAIL PROTECTED]
