Gordon Messmer writes:
Sam Varshavchik wrote:Try the following. Try setting TLS_PROTOCOL to SSL23, and TLS_CIPHER_LIST to "SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:[EMAIL PROTECTED]", and see what happens, vis-a-vis interoperability.That seems to work for pretty much everything that doesn't try to use SSL2 exclusively:s_client -ssl2: no s_client -ssl3: yes (uses ssl3) s_client -tls1: yes (uses tls1) s_client -no_ssl2: yes (uses tls1) s_client -no_ssl3: yes (uses tls1) s_client -no_tls1: yes (uses ssl3) sendmail: yes courierd SSL3: yes courierd SSL2: no courierd SSL23: yes courierd TLS1: yesReading http://cvs.openssl.org/getfile/openssl/apps/s_client.c?v=1.76.2.8.2.2, it looks like s_client with -no_ssl2 will use:int off=0; SSL_CTX *ctx=NULL; ... meth=SSLv23_client_method(); ... off|=SSL_OP_NO_SSLv2; ... ctx=SSL_CTX_new(meth); ... SSL_CTX_set_options(ctx,off);...so perhaps that's an acceptable way to disable the use of SSL2. I trust the server code would be substantially similar.Any thoughts on the viability of ditching the TLS_PROTOCOL setting?
Probably won't ditch, but adjust the default settings, so everything should work by default.
pgpqcmXM89o9K.pgp
Description: PGP signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
