On 01/24/2012 12:06 AM, Daniel Stenberg wrote: > On Tue, 24 Jan 2012, Nikos Mavrogiannopoulos wrote: > >> Note however that the combination of the cipher ARCFOUR with SSL 3.0 >> and TLS 1.0 is not vulnerable to these attacks. Thus a string to use >> when SSL 3.0 is required could be >> "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0:-CIPHER-ALL:+ARCFOUR-128". > Is ARCFOUR more likely to work with old/buggy servers than the "hacks" > you mentioned?
I can only speculate because I haven't really tested it. Given that this is a string for legacy servers, and SSL 3.0 originally only supported ARCFOUR and 3DES, you could have an issue with servers that only support 3DES. I've not seen such a server so far (although I've seen many servers that only support ARCFOUR). regards, Nikos
