Date: Tue, 11 Nov 2008 10:30:32 -0500 From: John Almberg <jalmberg@identry.com> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: freebsd-questions@freebsd.org Subject: Re: Disallowing ssl2 Message-ID: <F4246074-E12C-4A51-AA75-22533686D000@identry.com> In-Reply-To: <49199B62.8020404@infracaninophile.co.uk> References: <7F59430C-9DD9-44F1-B250-EB7109FBDF8B@identry.com> <49199B62.8020404@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
> It's certainly possible to insist on SSLv3 or TLSv1 for SSL > connections, > and nothing[*] will break. The client and server will negotiate to > find a > mutually acceptable cipher and protocol level at the point of > making the > connection. This seems to be less painful than I was anticipating... Besides apache, I had to figure out how to boost the security on IMAP and POP 3 connections. I'm using Courier, so this was pretty simple... just added the following to the imap and pop ssl config files: TLS_CIPHER_LIST="HIGH:MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:@STRENGTH" I'm going to resubmit the server... hopefully it will pass this time. But I wonder why the defaults for Apache and Courier are to accept SSL 2, if it is so problematical? -- John
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F4246074-E12C-4A51-AA75-22533686D000>