Hello. I work for a major Internet company in my country, and we are starting to disable SSLv3 on our critical webservers, because of Poodle. But, we're experiencing some side-effects as well.
We've found out that openssl shipped with CentOS 5 (old, I know) won't talk TLS by default. So, once we cut off SSLv3, our Nagios scripts begin to fail, because they are not able to handshake with the monitored server. Forcing TLS on client-side solves it, but not every script has such an option. Even Curl won't work unless you set the proper option (-1). So, it seems pretty clear too me that this is a openssl client-side behaviour. On CentOS 6, for example, it doesn't happen. Since upgrading every CentOS 5 box would be impossible, I was wondering if there was some kind of magic (compilation option, patch, global runtime configuration, anything) we could do on OpenSSL 0.9.8 so that it will try TLS 1.0 by default, or at least do it when SSLv23 doesn't work. I didn't find any configure option for it, though. Does anyone know how to do it? Thanks. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
