On 17/10/2014 02:10, Sam Varshavchik wrote: > Oliver Mihatsch writes: > >> Behaviour when using the following variable (added !, added TLSv1_1): >> TLS_CIPHER_LIST="!SSLv3:TLSv1:TLSv1_1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH" >> >> >> >> SSLv3 working, TLS 1.0 working, TLS 1.1 working, TLS 1.2 working (no >> changes to before) >> >> >> So results were not really what I was expecting. SSLv3 and TLS1/1.1 >> are somehow just an alias for each other. > > This weirdness is entirely OpenSSL's doing. This setting is passed > directly to OpenSSL, with no further interpretation. > > Someone else already dug up the code change necessary to disable > SSLv3. It appears that a small code change is required. > Technical explanation from an experienced OpenSSL user:
The "Cipher list" only controls which ciphers can be used, not which protocols. This is by definitions. However disabling all the ciphers that *could* potentially be used by SSLv3, has the side effect of disabling SSLv3 (and also blocking anything needing to use those same ciphers with later TLS versions). This is why Oliver saw TLSv1.0 being disabled for one of his tests because the server/client combination he used did not support any TLSv1.0-compatible ciphers that weren't also TLSv3 compatible. Thus telling OpenSSL to enable/disable ciphers compatible with specific SSL/TLS versions is unlikely to produce the desired effect of just enabling/disabling specific SSL/TLS versions without confusing effects on the other protocol versions. The fact that the cipher list syntax lets you use protocol names as shorthands for "those ciphers related to that protocol version" is a confusing aspect of that interface and not of much practical use. OpenSSL has options for explicitly enabling/disabling SSL/TLS versions (and other interesting stuff) via single bit flag options for other API calls (specifically SSL*_set_mode() and SSL*_set_options()). Some OpenSSL using programs include code that lets the user configure those bit flags without recompiling, typically by listing them by name in a separate option string (because the numeric values of those flags are ABI dependent, and have changed in the past). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho _______________________________________________ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
