On Jul 26, 2010, at 3:32 PM, Charlie Brady wrote: > On Mon, 26 Jul 2010, Matt Simerson wrote: > >>> Please note that SSL_version is distinct from cipher list, and is not >>> settable in the current code. >> >> Sure, but what types of SSL connections are allowed when we exclude the >> insecure SSLv2 ciphers? > > Good point. > >> Mine is also a simple untested patch, but I'm reasonably confident it >> will do exactly what is desired. By changing a config file rather than >> code, my solution is less likely to cause future problems. > > OK, but you are proposing adding code aren't you, to add the > all/high/medium/pci aliases?
I did, initially. But once I peeked under the hood, I noticed that the plugin already has the openssl cipher strings stored in a config file. Rather than add the aliases, I just submitted a patch that altered the config file. >> If you still wish to set SSL_version explicitly, make it a config file >> option and set the default value to 'SSLv3' instead, which includes >> TLSv1. That effectively does what you said cannot be done (disable only >> SSLv2). > > I didn't realise the SSLv3 includes TLSv1. Did I miss that in the pod? Or > is it just implicit in that TLSv1 is SSLv3.1, and SSLv3 means SSLv3.x? I didn't bother much with the POD, because I'm familiar enough with openssl and what it provides. The TLS being included in SSLv3 is noted on this page: http://www.openssl.org/docs/apps/ciphers.html >> I'm confident such a patch would be welcomed and committed. > > I think you've convinced me that it is not required. Do you think it would > be useful? Perhaps, but I can't imagine why. Matt Matt
