Aha, that’s an interesting point: Or does it just mean "SSLv3.x" (which includes TLSv1.x)?
Or perhaps "SSLv3 compatible cipher suite" (which also includes TLSv1.x)? The reason I questioned my own setup, and piggy-backed on Pradeep’s first post was this: I expected to see “TLS” when such a protocol is chosen. There is a case where I specifically see TLSv1.2 in the cipher text string similar to what is shown in the ‘Handshake done: message from Pradeep’s output. Specifically, if both sides use, for example, DHE-RSA-AES128-GCM-SHA256, I see “TLSv1.2”. The place I’m trying to get to is: 1. New version of software, customer configures to disable SSLv3 2. New version of client, which supports TLS is able to connect to server 3. Old version of client, which doesn’t support TLS, gets rejected – we expect this. Thanks to all for your continued input on this thread. Dave +-+-+-+-+-+-+-+-+- Dave McLellan, Enterprise Storage Software Engineering, EMC Corporation, 176 South St. Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749 Office: 508-249-1257, FAX: 508-497-8027, Mobile: 978-500-2546, dave.mclel...@emc.com +-+-+-+-+-+-+-+-+- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jakob Bohm Sent: Friday, October 24, 2014 12:37 PM To: openssl-users@openssl.org Subject: Re: openssl SSL3 vulnerability On 24/10/2014 15:53, Pradeep Gudepu wrote: To my earlier code, I have added these extra flags for client: SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); And server also has these same flags set, so that no way client and server can communicate on sslv2, sslv3. But again in logs I see SSL3 is negotiated: [2014-10-24 18:00:17.063, Info < proxysrv:10684>] SSLConfig::Init: SSL initiated (OpenSSL 1.0.1j 15 Oct 2014 built on: Mon Oct 20 15:08:32 2014). [2014-10-24 18:02:11.640, Info < proxysrv:10684>] SSLSocket::Callback: Handshake done: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 Does this really mean "SSLv3.0 protocol negotiated"? Or does it just mean "SSLv3.x" (which includes TLSv1.x)? Or perhaps "SSLv3 compatible cipher suite" (which also includes TLSv1.x)? On server, I have these ciphers set: ::SSL_CTX_set_cipher_list(ctx, "ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM"); Is there something wrong with these ciphers? What are best cipher argument for only TLSv1 communication. I think, I need not set ciphers on client side. Thanks – Pradeep reddy. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
