On Tue, 24 Jan 2012, Nikos Mavrogiannopoulos wrote:
Note however that the combination of the cipher ARCFOUR with SSL 3.0 and TLS 1.0 is not vulnerable to these attacks. Thus a string to use when SSL 3.0 is required could be "NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0:-CIPHER-ALL:+ARCFOUR-128".
Is ARCFOUR more likely to work with old/buggy servers than the "hacks" you mentioned?
-- / daniel.haxx.se
