On Wed, Aug 26, 2015 at 01:48:45PM -0700, Franck Martin wrote: > The best method is to use +RC4 instead of !RC4, which will put it at the > end of the negotiated cypher list. Because STARTTLS is opportunistic, RC4 > is still better than in clear. > > What you need to do is disable SSLv3.
Depending on what you're mitigating (e.g. POODLE), it's not so much the ciphersuites, but the SSL protocols you need to manage. SSLv3 is indeed a protocol, and that need to be disabled, not the ciphesuites associated with SSLv3, as there's overlap with TLS protocols. I.e., don't try to use !SSLv3 in describing ciphers. -- Brian Reichert <reich...@numachi.com> BSD admin/developer at large _______________________________________________ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop
