On Thu, 14 Aug 2008, Michael Ströder wrote: ... > From my understanding this is what LDAP_OPT_X_TLS_CIPHER_SUITE is for, > isn't it? It's directly passed to OpenSSL and can also be used to enable > or disable SSLv2, SSLv3 and TLSv1 besides choosing the ciphers itself.
Nope. The cipher suite list and protocol versions supported are orthogonal: even if you include "!SSLv2" in your cipher suite, openssl will still send an SSLv2-compatible handshake. Ditto on the server side: when OpenSSL announced a vulnerability in the server SSLv2 handshake code, I looked at whether specifying "!SSLv2" in the cipher spec would protect the server as a workaround. Nope: only setting the SSL_OP_NO_SSLv2 option or using a SSLv3-only or TLSv1-only method would do it. > Apache HTTP server does it also that way. See: > http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite They also have the "SSLProtocol" directive, further down on that page. Philip Guenther
