On Fri, May 23, 2014 at 06:11:05PM +0200, nicolas....@free.fr wrote:
> use at the very least TLSv1 (and preferably TLSv1_2) protocol if you want
> to use SSLv23_server_method(), don't forget to disable SSLv2 and 3 protocols
> (and maybe TLSv1) with the command
>
> SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
Typically, leaving SSLv3 enabled is just fine if both ends support
something stronger they'll negotiate that.
> third, you should also be cautious with which symetric cipher you use :
> by default, you still have RC2 and DES activated until TLSv1.1, RC4 and
> 3DES in TLSv1.2, which are either unsecure or will soon be you could use
> these lines to avoid unsecure ciphers :
Again, with the DEFAULT cipherlist, one generally negotiates the
strongest mutually-available cipher-suite, and there is little need
to disable weaker ciphers. However, since nobody uses export cipher
suites or single DES anymore, the simplest cipher-suite tweak is:
DEFAULT:!EXPORT:!LOW
if certificates are required or
ALL:!EXPORT:!LOW
if anonymous (ADH or AECDH) cipher-suites are needed.
> #define CIPHERS "HIGH:+MEDIUM:!aNULL:!eNULL:!3DES:!RC4:!RC2!DES"
> SSL_CTX_set_cipher_list(ctx, CIPHERS);
This is broken, HIGH includes no MEDIUM ciphers, so the "+MEDIUM" has
no effect. The OP seemed to want no certificates, so "!aNULL" is
perhaps too restrictive. There's a missing ":" between "!RC2" and
not "!DES", but there are no DES or RC2 ciphers in HIGH, so it is not
clear why these are present.
As for the OP's question, it was very poorly stated, and it is far
from clear what a sensible answer might be.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
