On Mon, 20 Oct 2014 18:38 +0100 (BST), you wrote:
> There has been recent press about an SSL server exploit called Poodle, which
> only effect SSLv3, not the more recent TLS 1.x protocols.
> Disabling SSLv3 in servers can be done by setting:
> SslContext.SslVersionMethod := sslV23_SERVER;
> SslContext.SslOptions := [sslOpt_NO_SSLv2, sslOpt_NO_SSLv3,
> v2 was obsolete long ago.
> You should also change the cipher suite, Mozilla now suggests three levels of
> ciphers, which are all now added to the latest overnight ICS v8 SVN.
> The minimum browsers these ciphers support are:
> sslCiphersMozillaSrvHigh - Firefox 27, Chrome 22, IE 11, Opera 14, Safari 7,
> Android 4.4, Java 8
> sslCiphersMozillaSrvInter - Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1,
> Windows XP IE8, Android 2.3, Java 7
> sslCiphersMozillaSrvBack - Windows XP IE6, Java 6
> so since IE6 is long obsolete I suggest:
> SslContext.SslCipherList := sslCiphersMozillaSrvInter;
> Once you have your ICS SSL web server updated and installed on a public
> there is an excellent SSL testing web site at:
> It takes a few minutes to test all the ciphers, but generates a detailed
> security report giving your web site a letter rating. Making the changes
> raised my ICS SSL site from C to A-.
I see you speak of fixing web servers in regard to the poodle exploit.
Is there any problem with clients? I see mine are set to sslv23. I
believe that was the default. Should I change this and if so, to what?
Also, I was wondering if it's possible to get a snapshot of your openssl
1.0.1i or 1.0.1j?
Thanks so much,
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be