Hello List!
I have a client that is using openssl version, 0.9.7a
Feb 19 2003. Recently, he ran a security audit on his
machine, and the report came back stated the
following:
Vulnerability -- imaps (993/tcp) - 21643 Synopsis
: The remote service supports the use of weak SSL
ciphers
Vulnerability -- pop3s (995/tcp) - 21643 Synopsis
: The remote service supports the use of weak SSL
ciphers
The ciphers that he is using is this:
SSL_RSA_WITH_RC4_128_MD5\
,SSL_RSA_WITH_RC4_128_SHA\
,TLS_RSA_WITH_AES_128_CBC_SHA\
,TLS_DHE_RSA_WITH_AES_128_CBC_SHA\
,TLS_DHE_DSS_WITH_AES_128_CBC_SHA\
,SSL_RSA_WITH_3DES_EDE_CBC_SHA\
,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA\
,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA\
,SSL_RSA_WITH_DES_CBC_SHA\
,SSL_DHE_RSA_WITH_DES_CBC_SHA\
,SSL_DHE_DSS_WITH_DES_CBC_SHA\
,SSL_RSA_EXPORT_WITH_RC4_40_MD5\
,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA\
,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA\
,SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
Questions
1) I believe these are sslv3 ciphers, but is there a
way to verify the above string is sslv3 compliant?
2) Is there a way to *turn off* sslv2 in openssl?
My best to you all,
king0770
____________________________________________________________________________________
Shape Yahoo! in your own image. Join our Network Research Panel today!
http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
