Sam Varshavchik wrote: > Try the following. Try setting TLS_PROTOCOL to SSL23, and > TLS_CIPHER_LIST to > "SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:[EMAIL PROTECTED]", and see > what happens, vis-a-vis interoperability.
That seems to work for pretty much everything that doesn't try to use SSL2 exclusively: s_client -ssl2: no s_client -ssl3: yes (uses ssl3) s_client -tls1: yes (uses tls1) s_client -no_ssl2: yes (uses tls1) s_client -no_ssl3: yes (uses tls1) s_client -no_tls1: yes (uses ssl3) sendmail: yes courierd SSL3: yes courierd SSL2: no courierd SSL23: yes courierd TLS1: yes Reading http://cvs.openssl.org/getfile/openssl/apps/s_client.c?v=1.76.2.8.2.2, it looks like s_client with -no_ssl2 will use: int off=0; SSL_CTX *ctx=NULL; ... meth=SSLv23_client_method(); ... off|=SSL_OP_NO_SSLv2; ... ctx=SSL_CTX_new(meth); ... SSL_CTX_set_options(ctx,off); ...so perhaps that's an acceptable way to disable the use of SSL2. I trust the server code would be substantially similar. Any thoughts on the viability of ditching the TLS_PROTOCOL setting? ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
