On Fri, Jun 15, 2012, Erik Forsberg wrote: > To answer my own question, seems the code that generates the > SSL_CIPHER_description() output does not make any difference between SSLv3, > TLSv1.0 > and TLSv1.1. Only TLSv1.2 is displayed as such. So in my case, I probably > did have a TLSv1 connection. Confusing ... > > A followup question, is it correct that TLSv1 in the cipher string disables > TLSv1.2 ciphers ? I didnt expect that. >
The cipher string doesn't make any difference to the version of SSL/TLS negotiated[*]. The TLSv1 string includes ciphers which can be used for TLS 1.0 and above so specifying it means TLS v1.2 can be negotiated. There isn't currently a TLS 1.2 option for the cipherstring, though that will be fixed at some point. Steve. * There is an exception to this relating to the deprecated SSLv2 protocol and OpenSSL 1.0 and later. If no SSLv2 ciphers are included in the cipherstring (the default now excludes them) then SSLv2 will not be negotaited and the "TLS client hello in an SSLv2 client hello" is not sent. This effectively disables SSL v2.0 by default and means compression and extensions can be used. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
