> We can't find any way of disabling TLS 1.0 and leaving TLS 1.1 and 
> TLS 1.2 as the only enabled protocols for the TSslSocket.

Correct, there have been a number of improvement in OpenSSL over the past few
years that have been skipped by ICS, primarily because ICS seemed to support
new OpenSSL releases without change.

But I've spent the last few days updating SSL support in ICS, there are new
sslTLS_V1_1, sslTLS_V1_2 and sslBestVer version methods and six new options
including sslOpt_NO_TLSv1_1 and sslOpt_NO_TLSv1_2.

But mainly I'm adding support for DH key exchange which seems to be missed in
the original development, and restricts the ciphers that our servers can
support.  Specifically, it means ciphers offering 'forward secrecy' are not
supported by servers (clients are OK), which reduces our ratings by SSL
security checks.

It's not finished yet, should only be a couple of days. 

If anyone is aware of other OpenSSL features missing from the ICS
implementation, now is the time to speak up. OpenSSL 1.0.2 will be supported by
the new version, but I can not see any major interface changes, just minor
things.  

Angus
    

-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to