Timo Sirainen wrote:
So I guess what happens is that OpenSSL advertises that it supports
SSLv2. But then the ssl_cipher_list's !SSLv2 doesn't let the SSLv2
handshake actually go through. So it's not really possible to use SSLv2.
You can verify this with:
openssl s_client -ssl2 -connect localhost:995
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Mountain View/O=Out of the Box
Computing/CN=ootbcomp.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Out of the Box
Computing/CN=ootbcomp.com
verify return:1
10171:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher
list:s2_clnt.c:450:
So you're saying that because the last line shows the cipher list
stopping it, then the security problems with sslv2 can't bite me?
Patrick
