Re: [courier-users] courier TLS_PROTOCOL compatibility
Brought to you by:
mrsam
From: Gordon M. <yi...@eb...> - 2008-03-11 04:59:55
|
Sam Varshavchik wrote: > Try the following. Try setting TLS_PROTOCOL to SSL23, and > TLS_CIPHER_LIST to > "SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!NULL@STRENGTH", and see > what happens, vis-a-vis interoperability. That seems to work for pretty much everything that doesn't try to use SSL2 exclusively: s_client -ssl2: no s_client -ssl3: yes (uses ssl3) s_client -tls1: yes (uses tls1) s_client -no_ssl2: yes (uses tls1) s_client -no_ssl3: yes (uses tls1) s_client -no_tls1: yes (uses ssl3) sendmail: yes courierd SSL3: yes courierd SSL2: no courierd SSL23: yes courierd TLS1: yes Reading http://cvs.openssl.org/getfile/openssl/apps/s_client.c?v=1.76.2.8.2.2, it looks like s_client with -no_ssl2 will use: int off=0; SSL_CTX *ctx=NULL; ... meth=SSLv23_client_method(); ... off|=SSL_OP_NO_SSLv2; ... ctx=SSL_CTX_new(meth); ... SSL_CTX_set_options(ctx,off); ...so perhaps that's an acceptable way to disable the use of SSL2. I trust the server code would be substantially similar. Any thoughts on the viability of ditching the TLS_PROTOCOL setting? |