> This seems to have fixed the problem:
> SslContext->SslOptions=SslContext->SslOptions << sslOpt_NO_SSLv2 <<
> sslOpt_NO_SSLv3;
> 
> I suppose I will just leave it and hope it doesn't cause any issues 
> for my customers.

Most SSL web servers will have disabled SSLv3 to stop the Poodle and Beast 
exploits,
some may disable TLSv1 to stop Beast but this breaks too many older browsers as 
well.


I've just disabled DH ciphers on my Windows 2012 IIS8.5 server to mitigate a DH 
key
exploit caused by Microsoft having the same hardcoded 1024 bit DHParams key on 
every
single server, instead of generating a new key for each server.  

The ECDHE ciphers are better than DH and DHE alone, and are still supported.  

This is not a problem with OpenSSL because we can generate and specify our own
DHParams keys and even if you use the files bundled with ICS, there are too few
users to make it a security risk. 

We only added DH and ECDH support in V8.15, and there was an ECDH fix in V8.17. 
 

Angus

-- 
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to