I'm going to try this questions again because it seems like there are some anomalies in the OpenSSL implementation: which cipher suites are available in which versions of SSL/TLS?
Using Appendix A.5 from the TLS 1.0, 1.1, and 1.2 RFCs, it looks to me as though there are some cipher suites in TLS 1.0 that are deprecated (and not allowed?) in TLS 1.1 and 1.2. For example, Valid in TLS 1.0: TLS_*_EXPORT_*, but not valid in TLS 1.1 and 1.2. Valid in TLS 1.0 and 1.1: TLS_*_DES_*, but not valid in TLS 1.2. Yet, it seems that OpenSSL 1.0.1e allows the single DES cipher suites with TLS 1.2, for example. I found this chunk of code in ssl3_choose_cipher() in ssl/s3_ilb.c: /* Skip TLS v1.2 only ciphersuites if lower than v1.2 */ if ((c->algorithm_ssl & SSL_TLSV1_2) && (TLS1_get_version(s) < TLS1_2_VERSION)) continue; Thanks. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
