It's certainly possible to insist on SSLv3 or TLSv1 for SSL connections, and nothing[*] will break. The client and server will negotiate to find a mutually acceptable cipher and protocol level at the point of making the
connection.

This seems to be less painful than I was anticipating... Besides apache, I had to figure out how to boost the security on IMAP and POP 3 connections. I'm using Courier, so this was pretty simple... just added the following to the imap and pop ssl config files:

TLS_CIPHER_LIST="HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH"

I'm going to resubmit the server... hopefully it will pass this time.

But I wonder why the defaults for Apache and Courier are to accept SSL 2, if it is so problematical?

-- John

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to