There has been recent press about an SSL server exploit called Poodle, which
only effect SSLv3, not the more recent TLS 1.x protocols.  

Disabling SSLv3 in servers can be done by setting:

SslContext.SslVersionMethod := sslV23_SERVER;
SslContext.SslOptions := [sslOpt_NO_SSLv2, sslOpt_NO_SSLv3,
sslOpt_CIPHER_SERVER_PREFERENCE];

v2 was obsolete long ago.

You should also change the cipher suite, Mozilla now suggests three levels of
ciphers, which are all now added to the latest overnight ICS v8 SVN.  

The minimum browsers these ciphers support are:

sslCiphersMozillaSrvHigh - Firefox 27, Chrome 22, IE 11, Opera 14, Safari 7,
Android 4.4, Java 8

sslCiphersMozillaSrvInter -  Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1,
Windows XP IE8, Android 2.3, Java 7

sslCiphersMozillaSrvBack - Windows XP IE6, Java 6 

so since IE6 is long obsolete I suggest:

SslContext.SslCipherList := sslCiphersMozillaSrvInter; 


Once you have your ICS SSL web server updated and installed on a public server,
there is an excellent SSL testing web site at:

https://www.ssllabs.com/ssltest/index.html

It takes a few minutes to test all the ciphers, but generates a detailed
security report giving your web site a letter rating.  Making the changes above
raised my ICS SSL site from C to A-.  

Angus





-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to