On Fri, 7 Nov 2014 08:09 +0000 (GMT Standard Time), you wrote:
>
> > I see you speak of fixing web servers in regard to the poodle
> > exploit. Is there any problem with clients? I see mine are set to
> > sslv23. I believe that was the default. Should I change this and if
> > so, to what?
>
> The issue with clients is they usually need to access a wide range of servers,
> some of which may not be using TLS.  Not everyone keeps their servers up to
> date.  You can try disabling v2 and v3, but then check your common sites are
> still available.
>
> SslContext.SslOptions := [sslOpt_NO_SSLv2, sslOpt_NO_SSLv3];

Thank you so much for this info.

I'm setting my TSslHttpCli and TSslSmtpCli options to:
sslOpt_NO_SSLv2 and sslOpt_NO_SSLv3

And SslVersionMethod to:
sslTLS_V1_CLIENT

> > Also, I was wondering if it's possible to get a snapshot of your
> > openssl 1.0.1i or 1.0.1j?
>
> 1.0.1i has been available since August at the downloads page:
>
> http://wiki.overbyte.be/wiki/index.php/ICS_Download

Thank you for this info as well. I got 1.0.1i back when you announced 
it. I appreciate that very much.

I was referring to a snapshot of the openssl project, like you provide 
Zipped Daily Snapshots for ICS-V8. I have a feeling this might be a 
problem. If so, I can live without it :) Thanks.

> We've not yet done an ICS 1.0.1j version, it's a minor release with mitigation
> for poodle, but setting options works just as well.  There is quite a lot of
> effort in updating and testing new OpenSSL releases, and they are getting too
> regular.

I understand the effort you guys must put in because of this flurry of 
bugs in openssl. Hopefully this will end soon.

Thank you so much for your excellent products and help using them,

Richard
~
-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to