To answer my own question, seems the code that generates the SSL_CIPHER_description() output does not make any difference between SSLv3, TLSv1.0 and TLSv1.1. Only TLSv1.2 is displayed as such. So in my case, I probably did have a TLSv1 connection. Confusing ...
A followup question, is it correct that TLSv1 in the cipher string disables TLSv1.2 ciphers ? I didnt expect that. >-- Original Message -- >Date: Fri, 15 Jun 2012 14:34:27 -0700 >From: "Erik Forsberg" <e...@efca.com> >Subject: How does cipher selection and TLS protocol negotiation interact >To: openssl-users@openssl.org >Reply-To: openssl-users@openssl.org > > >I have a weird case that I cannot properly explain. >Using OpenSSL 1.0.1c for both client and server, I was testing various >combinations of ciphers and protocol version requests. > >Basically, the server uses SSLv23_server_method(). >The client code uses SSLv23_client_method() and SSL_OP_NO_SSLv2 > >Then, if I have the following cipher list (which I have used for a long >time) >TLSv1+HIGH:!CAMELLIA:!SSLv2:RC4+MEDIUM:!MD5:!aNULL:!eNULL:@STRENGTH >(same for client and server side) > >I always get a SSLv3 connection, regardless what client asks for. > >Changing the cipher list to (removing the TLSv1) >HIGH:!CAMELLIA:!SSLv2:RC4+MEDIUM:!MD5:!aNULL:!eNULL:@STRENGTH > >I start getting TLS1.2 connections. Question is, in the first case, >why dont I get a TLSv1 connection ? Furthermore, high strength >ciphers from TLSv1 should still be usable for TLS 1.1 and 1.2, so >why dont I get a TLS1.2 connection in the first case ? > > >______________________________________________________________________ >OpenSSL Project http://www.openssl.org >User Support Mailing List openssl-users@openssl.org >Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
