On Fri, Jan 23, 2015, Thirumal, Karthikeyan wrote: > Team, > In order to fix the Poodle vulnerability on SSLv3, I tried to disable my > SSLv3 cipher using the below cipher set, but did not even initiate SSL in > 0.9.8a. > > SSL_CTX_set_cipher_list(ssl_ctx,"SHA1+HIGH:!SSLv2:!SSLv3:!aNULL:!eNULL:@STRENGTH"); > > Without "!SSLv3" - by SSL connection is working fine by blocking just SSLv2. > > Can you advise if the above cipher list is right ? >
You can't disable SSL 3.0 using a cipher list. The string "SSLv3" indicates ciphers which require a minimum of SSL 3.0 and so includes ciphersuites which can be used for SSL 3.0 or TLS 1.0. There aren't any ciphersuites suitable for TLS 1.0 and not SSL 3.0 so when you use !SSLv3 you disable all TLS 1.0 and SSL v3.0 ciphersuites. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev