On Wed, Nov 05, 2014 at 12:18:05PM +0000, Philip Bellino wrote:
> Jeffrey,
> May I ask why you included "no-ssl2" as an option to "config?
> Is only adding "no-ssl3" not sufficient enough to fully disable SSLv3?
No. If you leave SSLv2 enabled, and disable SSLv3, then in many
cases you always get SSLv2! SSL/TLS clients advertise a range of
protocols (min, max) not a list. If the "min" is SSLv2 and SSLv3
is disabled then the "max" is also SSLv2, unless explicitly disabled
by the application, or use extensions forces SSLv3 or later.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
