That triggers my memory. I saw this too a long time ago, if I recall correctly, if you get a TLSv1.2 connection, its still logged as SSLv3 (there is lack of printable enums in the OpenSSL code. I looked at my negotiation with wireshark and saw that I got TLSv1.2 despite what the debug trace said.
I hope this could be fixed one day ? >-- Original Message -- > >On 24/10/2014 15:53, Pradeep Gudepu wrote: >> To my earlier code, I have added these extra flags for client: >> >> SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); >> >> And server also has these same flags set, so that no way client and server >> can communicate on sslv2, sslv3. >> >> But again in logs I see SSL3 is negotiated: >> >> [2014-10-24 18:00:17.063, Info < proxysrv:10684>] SSLConfig::Init: >> SSL initiated (OpenSSL 1.0.1j 15 Oct 2014 built on: Mon Oct 20 15:08:32 >> 2014). >> [2014-10-24 18:02:11.640, Info < proxysrv:10684>] >> SSLSocket::Callback: Handshake done: AES256-SHA SSLv3 Kx=RSA >> Au=RSA Enc=AES(256) Mac=SHA1 >Does this really mean "SSLv3.0 protocol negotiated"? > >Or does it just mean "SSLv3.x" (which includes TLSv1.x)? > >Or perhaps "SSLv3 compatible cipher suite" (which also includes TLSv1.x)? >> >> On server, I have these ciphers set: >> >> ::SSL_CTX_set_cipher_list(ctx, >> "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"); >> >> Is there something wrong with these ciphers? What are best cipher argument >> for only TLSv1 communication. I think, I need not set ciphers on client side. >> >> Thanks – Pradeep reddy. > >Enjoy > >Jakob >-- >Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com >Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 >This public discussion message is non-binding and may contain errors. >WiseMo - Remote Service Management for PCs, Phones and Embedded > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
