Hi Angus,

On Mon, 20 Oct 2014 18:38 +0100 (BST), you wrote:
> There has been recent press about an SSL server exploit called Poodle, which
> only effect SSLv3, not the more recent TLS 1.x protocols.
> Disabling SSLv3 in servers can be done by setting:
> SslContext.SslVersionMethod := sslV23_SERVER;
> SslContext.SslOptions := [sslOpt_NO_SSLv2, sslOpt_NO_SSLv3,
> v2 was obsolete long ago.
> You should also change the cipher suite, Mozilla now suggests three levels of
> ciphers, which are all now added to the latest overnight ICS v8 SVN.
> The minimum browsers these ciphers support are:
> sslCiphersMozillaSrvHigh - Firefox 27, Chrome 22, IE 11, Opera 14, Safari 7,
> Android 4.4, Java 8
> sslCiphersMozillaSrvInter -  Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1,
> Windows XP IE8, Android 2.3, Java 7
> sslCiphersMozillaSrvBack - Windows XP IE6, Java 6
> so since IE6 is long obsolete I suggest:
> SslContext.SslCipherList := sslCiphersMozillaSrvInter;
> Once you have your ICS SSL web server updated and installed on a public 
> server,
> there is an excellent SSL testing web site at:
> https://www.ssllabs.com/ssltest/index.html
> It takes a few minutes to test all the ciphers, but generates a detailed
> security report giving your web site a letter rating.  Making the changes 
> above
> raised my ICS SSL site from C to A-.

I see you speak of fixing web servers in regard to the poodle exploit. 
Is there any problem with clients? I see mine are set to sslv23. I 
believe that was the default. Should I change this and if so, to what?

Also, I was wondering if it's possible to get a snapshot of your openssl 
1.0.1i or 1.0.1j?

Thanks so much,


To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to